FDCC-Settings-major-version-1.2.x.0 - Excel

Document Sample
FDCC-Settings-major-version-1.2.x.0 - Excel Powered By Docstoc
					2009.02.03 v1.2.x.0
           FDCC_Other_Settings/FDCC_Security_S All Rows
           ettings                             Columns H
                                               and I
           FDCC_Other_Settings/FDCC_Security_S Row 2
           ettings                             Column E
           FDCC_Other_Settings/FDCC_Security_S Rows 20 and
           ettings                             21 Column E

          FDCC_Other_Settings/FDCC_Security_S   Row 22
          ettings                               Column D
          FDCC_Other_Settings/FDCC_Security_S   Multiple
          ettings                               Rows
                                                Columns C
                                                and D

          FDCC_Other_Settings/FDCC_Security_S Rows 166
          ettings                             and 193
                                              Column B

          FDCC_Other_Settings/FDCC_Security_S   Row 23
          ettings                               Column D
          FDCC_Other_Settings/FDCC_Security_S   Row 24
          ettings                               Column D
          FDCC_Security_Settings                Row 40
                                                Column G
          FDCC_Security_Settings                Rows 55-63
                                                Column E
          FDCC_Security_Settings                Row 77
                                                Column F
          FDCC_Security_Settings                Row 119
                                                Column E
          FDCC_Security_Settings                Row 119
                                                Column F
          FDCC_Security_Settings                Row 131
                                                Column D,
                                                E, and F




          FDCC_Other_Settings                   Row 56
                                                Column F
          FDCC_Other_Settings                   Row 183
                                                Column F

          FDCC_Other_Settings                   Row 184
                                                Column F

          FDCC_Other_Settings                   Row 186
                                                Column F
          FDCC_Other_Settings      Row 189
                                   Column F

          FDCC_Other_Settings      Row 200
                                   Column F
          FDCC_Other_Settings      Row 199
                                   Column E
          FDCC_Other_Settings      Row 203
                                   Column E
          FDCC_Other_Settings      Row 224
                                   Column E
          FDCC_Other_Settings      Row 299
                                   Column F
          FDCC_Other_Settings      Row 329
                                   Column E
          FDCC_Other_Settings      Row 330
                                   Column E
          FDCC_Other_Settings      Row 248
                                   Column E
          FDCC_Other_Settings      Rows 38 and
                                   236 Column
                                   E
          FDCC_Other_Settings      Row 28
                                   Column F

          FDCC_Other_Settings      Row 45
                                   Column F
          FDCC_Other_Settings      Row 118
                                   Column E
          FDCC_Other_Settings      Row 98
                                   Column E
          FDCC_Other_Settings      Row 130
                                   Column F
          FDCC_Other_Settings      Row 130
                                   Column D

2008.06.19 v1.0
           FDCC_Other_Settings     Row 90
                                   Columns
                                   C/D
          FDCC_Security_Settings   Row 40
                                   Column D
          FDCC_Other_Settings      Row 130
                                   Columns
                                   C/D
          FDCC_Security_Settings   Row 75
                                   Columns
                                   C/D
          FDCC_Security_Settings   Row 81
                                   Column D
          FDCC_Other_Settings      Row 223
                                   Columns
                                   C/D
FDCC_Other_Settings      Row 37
                         Columns
                         C/D

FDCC_Other_Settings      Row 102
                         Columns
                         C/D
FDCC_Other_Settings      Row 69
                         Column C
FDCC_Security_Settings   Row 83
                         Column D
FDCC_Other_Settings      Row 127
                         Columns
                         C/D
FDCC_Other_Settings      Row 176
                         Columns
                         C/D
FDCC_Other_Settings      Row 182
                         Columns
                         C/D
FDCC_Other_Settings      Row 38
                         Columns
                         C/D

FDCC_Other_Settings      Row 58
                         Columns
                         C/D
FDCC_Other_Settings      Row 179
                         Columns
                         C/D
FDCC_Other_Settings      Row 60
                         Column C
FDCC_Other_Settings      Row 96
                         Columns
                         C/D
FDCC_Security_Settings   Row 82
                         Column D
FDCC_Other_Settings      Row 51
                         Column D
FDCC_Other_Settings      Row 329

FDCC_Security_Settings   Row 74
                         Columns
                         C/D
FDCC_Security_Settings   Row 219
                         Columns
                         C/D
FDCC_Other_Settings      Row 274
                         Columns
                         C/D
FDCC_Security_Settings   Row 76
                         Columns
                         C/D
FDCC_Other_Settings      Row 94
                         Columns
                         C/D
FDCC_Security_Settings   Row 110
                         Columns
                         C/D
FDCC_Other_Settings      Row 327

FDCC_Other_Settings      Row 328

FDCC_Other_Settings      Row 111
                         Columns
                         C/D
FDCC_Other_Settings      Row 142
                         Columns
                         C/D
FDCC_Other_Settings      Row 155
                         Columns
                         C/D
FDCC_Other_Settings      Row 129
                         Columns
                         C/D
FDCC_Other_Settings      Row 131
                         Columns
                         C/D
FDCC_Other_Settings      Row 133
                         Columns
                         C/D
FDCC_Other_Settings      Row 136
                         Columns
                         C/D
FDCC_Other_Settings      Row 138
                         Columns
                         C/D
FDCC_Other_Settings      Row 140
                         Columns
                         C/D
FDCC_Other_Settings      Row 143
                         Columns
                         C/D
FDCC_Other_Settings      Row 178
                         Columns
                         C/D
FDCC_Other_Settings      Row 330
FDCC_Security_Settings   Row 119
                         Columns
                         C/D
FDCC_Security_Settings   Row 5
                         Columns
                         C/D
FDCC_Security_Settings   Row 8
                         Columns
                         C/D
           FDCC_Security_Settings   Row 7
                                    Columns
                                    C/D
           FDCC_Security_Settings   Row 9
                                    Columns
                                    C/D
           FDCC_Security_Settings   Row 6
                                    Columns
                                    C/D
           FDCC_Other_Settings      Row 187
                                    Columns
                                    C/D
           FDCC_Security_Settings   Row 222
                                    Columns
                                    C/D
           FDCC_Other_Settings      n/a

           FDCC_Other_Settings      n/a


2008.02.08 v1-0-2
           FDCC_Other_Settings      Row 39
                                    Column C
           FDCC_Other_Settings      Row 238
                                    Column G
           FDCC_Security_Settings   Row 174
                                    Column D
           FDCC_Other_Settings      Row 198
                                    Column G

2007.10.30 v1-0-1
           Revision History
           FDCC_Security_Settings   Row 118


           FDCC_Security_Settings   Row 119



           FDCC_Security_Settings   Row 174
                                    Column D
           FDCC_Security_Settings   Row 188
                                    Column B
           FDCC_Other_Settings      Row 39
                                    Column B


2008.02.08 v1-0-2


2007.10.23 v1-0-1


2007.07.31 v1-0-0
Added CCE v5 IDs


Corrected CCE v4 ID from CCE-754 to CCE-980

The CCE IDs for these two settings were reversed, the correct values are as follows: Row 20 is CCE-462 and
Row 21 is CCE-726

Changed the value from "Configured" to "Not Defined."

There were numerous settings that were listed as "Not Configured," but in the group policy editor these specific
settings will appear as "Not Defined" when no value is specified. The term "Not Defined" is used in the Computer
Configuration\Windows Settings\Security Settings portion of group policy while "Not Configured" is used in the
Administrative Templates portions. The two terms are functionally equivalent however this discrepency was
causing confusion.
Added a comment explaining that the "Log on locally" and "Allow log on locally" user rights refer to the same
one. In Windows XP the right appears as "Log on locally" but in Windows Vista it appears as "Allow log on
locally," What you will see in the group policy management tools depends on which version of Windows you are
using.
Changed the value from "Configured" to "Not Defined."

Changed the value from "Configured" to "Not Defined."

Changed description from "Permission to execute and read removed from Users" to "Permission to execute and
read given to Users"
Updated CCE IDs from 4.0 to 4.2

Appended " Services\Servers\AddPrinterDrivers"

Added CCE v4 ID - CCE-271

Added "MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon!ScreenSaverGracePeriod"

Microsoft renamed the setting that was known as "Network access: Remotely accessible registry paths" in
Windows 2000 and Windows XP. In later versions of Windows that setting is called "Network access: Remotely
accessible registry paths and subpaths." So, column D now specifies the default value for this setting for
Windows XP and column E includes the version 4 CCD IDs that are listed for Windows XP and Windows Vista
by MITRE. Also added a comment explaining this confusing situtation to column F. It is critical to understand that
if you edit this setting on a computer running Windows XP it will appear as "Network access: Remotely
accessible registry paths" but on later versions of Windows it is called "Network access: Remotely accessible
registry paths and subpaths"
Added "HKLM\SOFTWARE\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate"

Appended "Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe,
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!iexplore.exe"
Appended "Explorer\Main\FeatureControl\FEATURE_MIME_ SNIFFING!explorer.exe,
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_
SNIFFING!iexplore.exe"
Appended "Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION! explorer.exe,
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!iexplore.exe"
Appended "Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe,
HKLM\Software\Policies\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!iexplore.exe"
Added "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime"

Corrected CCE v4 ID from CCE-397 to CCE-920

Corrected CCE v4 ID from CCE-648 to CCE-397

Corrected CCE v4 ID from CCE-729 to CCE-802

Changed Policy Setting Name from "Configure Microsoft Spynet Reporting" to "Display Error Notification"

Added CCE v4 ID - CCE-174

Added CCE v4 ID - CCE-1109

Corrected CCE ID, changed it from CCE-421 to CCE-117.

Added notes to the settings named "Registry Policy Processing" and "Apply local connection security rules" been
assigned the same CCE ID, awaiting resolution from MITRE.

Added
"HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableUnicastResponseToMulticastBr
oadcast"
Added "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith"

Corrected the registry path to point to the Machine hive rather than the Current User hive, the path is now
"HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A00"
Corrected the registry path to point to the Machine hive rather than the Current User hive, the path is now
"HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions"
Correct the registry path to point to
"MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine"
Changed the value to "(Not Applicable)" for Windows XP



changed setting "Turn off "Delete Browsing History" functionality" from "Enabled" to "Not Configured" for both
Vista and XP

added "Users: Read & Execute" permissions to setting "%SystemRoot%\system32\mshta.exe" for XP

changed setting "Java permissions" for Intranet zone from "Enabled:Disable-java" to "Enabled: High Safety" for
both Vista and XP

changed setting "Devices: Allow undock without having to log on" from "Enabled" for Vista and "Disabled" for XP
to "Not Configured" for both Vista and XP

changed setting "Domain controller: Allow server operators to schedule tasks" from "Not Defined" to "Not
Configured" for XP
changed setting "Prevent Desktop Shortcut Creation" from "Enabled" to "Not Configured" for both Vista and XP
changed setting "Internet Explorer Maintenance policy processing" from "Enabled: All three options checked.
Allow processing across a slow network connection. Do not apply during periodic background processing.
Process even if the Group Policy objects have not changed." for Vista and "Not Defined" for XP to "Not
Configured" for both Vista and XP
changed setting "Do not allow resetting Internet Explorer settings" from "Enabled" to "Not Configured" for both
Vista and XP

changed setting "Turn Off Autoplay" "Enabled: All Types of Drives" to "Enabled: All Drives" for Vista

changed setting "Domain controller: Refuse machine account password changes" from "Not Defined" to "Not
Configured" for XP
changed setting "Web Browser Applications" for Internet zone from "Disabled" to "Not Configured" for both Vista
and XP

changed setting "Web Browser Applications" for Restricted Sites zone from "Disabled" to "Not Configured" for
both Vista and XP

changed setting "Enable Native XMLHttp Support" from "Disabled" to "Not Configured" for both Vista and XP


changed setting "Registry policy processing" from "Enabled: All two options checked. Process even if the Group
Policy objects have not changed. Do not apply during periodic background processing." for Vista and "Not
Defined" for XP to "Enabled: Process even if the Group Policy objects have not changed." for both Vista and XP

changed setting "Do not process the run once list" from "Enabled" to "Not Configured" for both Vista and XP


changed setting "Java permissions" for Trusted Sites zone from "Enabled:Disable-java" to "Enabled: High Safety"
for both Vista and XP

changed setting "Turn off Windows Startup Sound" from "Enabled" to "Not Configured" for Vista

changed setting "Allow Install On Demand (Internet Explorer)" from "Disabled" to "Not Configured" for both Vista
and XP

changed setting "Domain controller: LDAP server signing requirements" from "Not Defined" to "Not Configured"
for XP
changed setting "Turn off the Windows Messenger Customer Experience Improvement Program" from "Not
Defined" to "Enabled" for Vista
added setting "Turn off Help Experience Improvement Program" and set to "Enabled" and "Not Applicable" for
Vista and XP
changed setting "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)
syntax" from "Not Defined" to "Not Configured" for both XP and Vista

changed setting "Remote Access Connection Manager" from "Not Defined" for Vista and "Disabled" for XP to
"Not Configured" for both XP and Vista

changed setting "Disable Internet Connection wizard" from "Enabled" to "Not Configured" for both Vista and XP


added "Interactive Users" to the permissions list for "Devices: Allowed to format and eject removable media" for
both XP and Vista
changed setting "Prevent ignoring certificate errors" from "Enabled" to "Not Configured" for both Vista and XP


changed setting "MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an
attacker using a small MTU)" from "Enabled" to "Not Configured" for both Vista and XP

added setting "Download signed ActiveX controls" for Trusted Sites zone and set to "Not Configured" for both
Vista and XP
added setting "Download signed ActiveX controls" for Intranet zone and set to "Not Configured" for both Vista
and XP
changed setting "Allow status bar updates via script" for Internet zone from "Enabled:Disable" to "Not
Configured" for both Vista and XP

changed setting "Allow status bar updates via script" for Locked-Down Trusted Sites zone from
"Enabled:Disable" to "Not Configured" for both Vista and XP

changed setting "Allow status bar updates via script" for Restricted Sites zone from "Enabled:Disable" to "Not
Configured" for both Vista and XP

changed setting "Display Mixed Content" for Internet zone from "Enabled:Enable for all zones except Internet and
restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Local Machine zone from "Enabled:Enable for all zones except
Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Locked-Down Internet zone from "Enabled:Enable for all zones
except Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for locked-Down Intranet zone from "Enabled:Enable for all zones
except Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Locked-Down Local Machine zone from "Enabled:Enable for all
zones except Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Locked-Down Restricted Sites zone from "Enabled:Enable for all
zones except Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Locked-Down Trusted Sites zone from "Enabled:Enable for all
zones except Internet and restricted sites" to "Not Configured" for both Vista and XP

changed setting "Display Mixed Content" for Trusted Sites zone from "Enabled:Enable for all zones except
Internet and restricted sites" to "Not Configured" for both Vista and XP

added setting "Turn off Help Ratings" and set to "Enabled" and "Not Applicable" for Vista and XP
changed setting "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period
expires (0 Recommended)" from "0 sec" to "5 sec" for both Vista and XP

changed setting "Enforce user logon restrictions" from "Enabled" to "Not Configured" for both Vista and XP


changed setting "Maximum lifetime for user ticket renewal" from "7 days" to "Not Configured" for both Vista and
XP
changed setting "Maximum lifetime for user ticket" from "10 hours" to "Not Configured" for both Vista and XP


changed setting "Maximum tolerance for computer clock synchronization" from "5 minutes" to "Not Configured"
for both Vista and XP

changed setting "Maximum lifetime for service ticket" from "600 minutes" to "Not Configured" for both Vista and
XP

changed setting "Internet Explorer Processes" from "Enabled" to "Not Configured" for both Vista and XP


changed setting "Task Scheduler" from "Not Defined" for Vista and "Disabled" for XP to "Not Configured" for both
Vista and XP

deleted setting "Site to Zone Assignment List" from FDCC settings list, because both Vista and XP values were
set to "Not Configured"
deleted setting "Windows Firewall: Define port exceptions" from FDCC settings list, because Vista was set to
"Not Applicable" and XP was set to "Not Configured"


Replace the "Enabled" value with "Enabled: All two options checked"

Following text added: "This setting is applied via the FDCC_VISTA_FIREWALL GPO. It is seperate than the
"Group Policy" CCE of the same number"
Changed from "Administrators, Interactive, Service" to "Administrators, LOCAL SERVICE, NETWORK
SERVICE, SERVICE." Test failed with previous settings.
Added the following text: Note: this setting has a different name (Remote Desktop Connection Client) when
viewing the GPO using Vista GPMC


Add the revision history worksheet.
This is not a new setting. It was included in the VHD and GPO but it was not documented in the version 1-0-0
spreadsheet.
MSS: (SafeDLLSearchMode) Enable safe DLL search mode (Recommended)
This is not a new setting. It was included in the VHD and GPO but it was not documented in the version 1-0-0
spreadsheet.
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0
Recommended)
Replace the "Not Defined" value with "Administrators, Interactive, Service" for the FDCC Windows XP "Create
global objects" setting.
Replace the setting "Increase Scheduling Authority" with "Increase scheduling priority".

Replace the "Enabled" value with "Enabled: All two options checked. Process even if the Group Policy objects
have not changed. Do not apply during periodic background processing." for the FDCC Windows Vista "Registry
policy processing" setting.


Additional Updates to the FDCC documentation


Update the FDCC documentation.


Initial Release of the FDCC documentation.
Change List Row
5


6

7


8


9

10
11



12


13

14

15


16


17


18



19


20


21

22


23

24

25

26


27


28


29
30


31


32

33

34


34


34


35


35


35


35


35


35


35


35


36
37


38


39
40


41


42


43


44


n/a

n/a
Policy Path                Policy Setting Name           FDCC Windows Vista         FDCC Windows XP            CCE         Registry Setting   Description
                                                                                                               Reference
Computer                   Account lockout duration      15 minutes                 15 minutes                 CCE-980                        This security setting determines the number of minutes a
Configuration\Windows                                                                                                                         locked-out account remains locked out before automatically
                                                                                                                                              becoming unlocked. The available range is from 0 minutes
Settings\Security                                                                                                                             through 99,999 minutes. If you set the account lockout
Settings\Account                                                                                                                              duration to 0, the account will be locked out until an
Policies\Account Lockout                                                                                                                      administrator explicitly unlocks it. If an account lockout
Policy                                                                                                                                        threshold is defined, the account lockout duration must be
                                                                                                                                              greater than or equal to the reset time.
                                                                                                                                              Default: None, because this policy setting only has meaning
                                                                                                                                              when an Account lockout threshold is specified.
                                                                                                                                              NOTE: 15 minutes is recommended by the Vista Security
                                                                                                                                              Guide, due to fears of Denial of Service attacks taking down
                                                                                                                                              systems too easily.




Computer                   Account lockout threshold     5 invalid logon attempts   5 invalid logon attempts   CCE-658                        This security setting determines the number of failed logon
Configuration\Windows                                                                                                                         attempts that causes a user account to be locked out. A
                                                                                                                                              locked-out account cannot be used until it is reset by an
Settings\Security                                                                                                                             administrator or until the lockout duration for the account has
Settings\Account                                                                                                                              expired. You can set a value between 0 and 999 failed logon
Policies\Account Lockout                                                                                                                      attempts. If you set the value to 0, the account will never be
Policy                                                                                                                                        locked out.
                                                                                                                                              Failed password attempts against workstations or member
                                                                                                                                              servers that have been locked using either
                                                                                                                                              CTRL+ALT+DELETE or password-protected screen savers
                                                                                                                                              count as failed logon attempts.
                                                                                                                                              Default: 0.

Computer                   Reset lockout counter after   15 minutes                 15 minutes                 CCE-733                        This security setting determines the number of minutes that
Configuration\Windows                                                                                                                         must elapse after a failed logon attempt before the failed
                                                                                                                                              logon attempt counter is reset to 0 bad logon attempts. The
Settings\Security                                                                                                                             available range is 1 minute to 99,999 minutes.
Settings\Account                                                                                                                              If an account lockout threshold is defined, this reset time must
Policies\Account Lockout                                                                                                                      be less than or equal to the Account lockout duration.
Policy                                                                                                                                        Default: None, because this policy setting only has meaning
                                                                                                                                              when an Account lockout threshold is specified.




Computer                   Enforce user logon            Not Defined                Not Defined                CCE-227                        Determines whether the Kerberos V5 Key Distribution Center
Configuration\Windows      restrictions                                                                                                       (KDC) validates every request for a session ticket against the
                                                                                                                                              user rights policy of the target computer. Validation of each
Settings\Security                                                                                                                             request for a session ticket is optional, because the extra step
Settings\Account                                                                                                                              takes time and it may slow network access to services.
Policies\Kerberos Policy                                                                                                                      When this policy is enabled, the user who requests the
                                                                                                                                              session ticket must have the right to Log on locally (if the
                                                                                                                                              requested service is running on the same computer) or the
                                                                                                                                              right to Access this computer from the network (if the
                                                                                                                                              requested service is on a remote computer) to receive a
                                                                                                                                              session ticket. If this policy is disabled, the check is not
                                                                                                                                              performed.
Computer                   Maximum lifetime for service Not Defined              Not Defined               CCE-6     Determines the maximum amount of time (in minutes) that a
Configuration\Windows      ticket                                                                                    granted session ticket can be used to access a particular
                                                                                                                     service. The setting must be greater than 10 minutes and less
Settings\Security                                                                                                    than or equal to the setting for Maximum lifetime for user ticket
Settings\Account                                                                                                     If a client presents an expired session ticket when it requests
Policies\Kerberos Policy                                                                                             a connection to a server, the server returns an error
                                                                                                                     message. The client must request a new session ticket from
                                                                                                                     the Kerberos V5 Key Distribution Center (KDC). Once a
                                                                                                                     connection is authenticated, however, it no longer matters
                                                                                                                     whether the session ticket remains valid. Session tickets are
                                                                                                                     used only to authenticate new connections with servers.
                                                                                                                     Ongoing operations are not interrupted if the session ticket
                                                                                                                     that is used to authenticate the connection expires during the
                                                                                                                     connection.




Computer                   Maximum lifetime for user   Not Defined               Not Defined               CCE-37    Determines the maximum amount of time (in hours) that a
Configuration\Windows      ticket                                                                                    user's ticket-granting ticket (TGT) may be used. When a
                                                                                                                     user's TGT expires, a new one must be requested or the
Settings\Security                                                                                                    existing one must be "renewed."
Settings\Account
Policies\Kerberos Policy
Computer                   Maximum lifetime for user   Not Defined               Not Defined               CCE-33    Determines the period of time (in days) during which a user's
Configuration\Windows      ticket renewal                                                                            ticket-granting ticket (TGT) may be renewed.
Settings\Security
Settings\Account
Policies\Kerberos Policy
Computer                   Maximum tolerance for       Not Defined               Not Defined               CCE-588   Determines the maximum time difference (in minutes) that
Configuration\Windows      computer clock                                                                            Kerberos V5 tolerates between the time on a client's clock and
                                                                                                                     the time on a server's clock while still considering the two
Settings\Security          synchronization                                                                           clocks to be synchronous.
Settings\Account                                                                                                     To prevent "replay attacks," Kerberos V5 uses time stamps as
Policies\Kerberos Policy                                                                                             part of its protocol definition. For time stamps to work properly,
                                                                                                                     the clocks of the client and the server need to be in sync as
                                                                                                                     much as possible. In other words, both computers must be set
                                                                                                                     to the same time and date. Because the clocks of two
                                                                                                                     computers are often out of sync, administrators can use this
                                                                                                                     policy to establish the maximum acceptable difference to
                                                                                                                     Kerberos V5 between a client's clock and server's clock. If the
                                                                                                                     difference between a client's clock and the server's clock is
                                                                                                                     less than the maximum time difference that is specified in this
                                                                                                                     policy, any time stamp that is used in a session between the
                                                                                                                     two computers is considered to be authentic.




Computer                   Enforce password history    24 passwords remembered   24 passwords remembered   CCE-60    This security setting determines the number of unique new
Configuration\Windows                                                                                                passwords that have to be associated with a user account
                                                                                                                     before an old password can be reused. The value must be
Settings\Security                                                                                                    between 0 and 24 passwords. This policy enables
Settings\Account                                                                                                     administrators to enhance security by ensuring that old
Policies\Password Policy                                                                                             passwords are not reused continually. Note: By default,
                                                                                                                     member computers follow the configuration of their domain
                                                                                                                     controllers. To maintain the effectiveness of the password
                                                                                                                     history, do not allow passwords to be changed immediately
                                                                                                                     after they were just changed by also enabling the Minimum
                                                                                                                     password age security policy setting.
Computer                   Maximum password age      60 days         60 days         CCE-871   This security setting determines the period of time (in days)
Configuration\Windows                                                                          that a password can be used before the system requires the
                                                                                               user to change it. You can set passwords to expire after a
Settings\Security                                                                              number of days between 1 and 999, or you can specify that
Settings\Account                                                                               passwords never expire by setting the number of days to 0. If
Policies\Password Policy                                                                       the maximum password age is between 1 and 999 days, the
                                                                                               Minimum password age must be less than the maximum
                                                                                               password age. If the maximum password age is set to 0, the
                                                                                               minimum password age can be any value between 0 and 998
                                                                                               days. Note: It is a security best practice to have passwords
                                                                                               expire every 30 to 90 days, depending on your environment.
                                                                                               This way, an attacker has a limited amount of time in which to
                                                                                               crack a user's password and have access to your network
                                                                                               resources.
                                                                                               Default: 42




Computer                   Minimum password age      1 day           1 day           CCE-324   This security setting determines the period of time (in days)
Configuration\Windows                                                                          that a password must be used before the user can change it.
                                                                                               You can set a value between 1 and 998 days, or you can
Settings\Security                                                                              allow changes immediately by setting the number of days to 0.
Settings\Account                                                                               The minimum password age must be less than the Maximum
Policies\Password Policy                                                                       password age, unless the maximum password age is set to 0,
                                                                                               indicating that passwords will never expire. If the maximum
                                                                                               password age is set to 0, the minimum password age can be
                                                                                               set to any value between 0 and 998.
                                                                                               Configure the minimum password age to be more than 0 if you
                                                                                               want Enforce password history to be effective. Without a
                                                                                               minimum password age, users can cycle through passwords
                                                                                               repeatedly until they get to an old favorite. The default setting
                                                                                               does not follow this recommendation, so that an administrator
                                                                                               can specify a password for a user and then require the user to
                                                                                               change the administrator-defined password when the user
                                                                                               logs on. If the password history is set to 0, the user does not
                                                                                               have to choose a new password. For this reason, Enforce
                                                                                               password history is set to 1 by default.
                                                                                               Note: By default, member computers follow the configuration
                                                                                               of their domain controllers.




Computer                   Minimum password length   12 characters   12 characters   CCE-100   This security setting determines the least number of
Configuration\Windows                                                                          characters that a password for a user account may contain.
                                                                                               You can set a value of between 1 and 14 characters, or you
Settings\Security                                                                              can establish that no password is required by setting the
Settings\Account                                                                               number of characters to 0.
Policies\Password Policy                                                                       Default: 7 on domain controllers, 0 on stand-alone servers.
                                                                                               Note: By default, member computers follow the configuration
                                                                                               of their domain controllers.
Computer                   Password must meet              Enabled       Enabled            CCE-633   This security setting determines whether passwords must
Configuration\Windows      complexity requirement                                                     meet complexity requirements. If this policy is enabled,
                                                                                                      passwords must meet the following minimum requirements:
Settings\Security                                                                                     • Not contain the user's account name or parts of the user's
Settings\Account                                                                                      full name that exceed two consecutive characters
Policies\Password Policy                                                                              • Be at least six characters in length
                                                                                                      Contain characters from three of the following four categories:
                                                                                                      • English uppercase characters (A through Z)
                                                                                                      • English lowercase characters (a through z)
                                                                                                      • Base 10 digits (0 through 9)
                                                                                                      • Non-alphabetic characters (for example, !, $, #, %)
                                                                                                      • Complexity requirements are enforced when passwords are
                                                                                                      changed or created.
                                                                                                      Default: Enabled on domain controllers. Disabled on stand-
                                                                                                      alone servers.
                                                                                                      Note: By default, member computers follow the configuration
                                                                                                      of their domain controllers. Determines whether passwords
                                                                                                      must meet complexity requirements.




Computer                   Store passwords using           Disabled      Disabled           CCE-479   This security setting determines whether the operating system
Configuration\Windows      reversible encryption for all                                              stores passwords using reversible encryption.
                                                                                                      This policy provides support for applications that use
Settings\Security          users in the domain                                                        protocols that require knowledge of the user's password for
Settings\Account                                                                                      authentication purposes. Storing passwords using reversible
Policies\Password Policy                                                                              encryption is essentially the same as storing plaintext
                                                                                                      versions of the passwords. For this reason, this policy should
                                                                                                      never be enabled unless application requirements outweigh
                                                                                                      the need to protect password information.
                                                                                                      This policy is required when using Challenge-Handshake
                                                                                                      Authentication Protocol (CHAP) authentication through remote
                                                                                                      access or Internet Authentication Services (IAS). It is also
                                                                                                      required when using Digest Authentication in Internet
                                                                                                      Information Services (IIS).
                                                                                                      Default: Disabled.




Computer                   Maximum application log         Not Defined   16384 kilobytes    CCE-185   Specifies the maximum size of the application event log,
Configuration\Windows      size                                                                       which has a maximum of 4 GB.
Settings\Security
Settings\Event Log
Computer                   Maximum security log size       Not Defined   81920 kilobytes    CCE-757   Specifies the maximum size of the security event log, which
Configuration\Windows                                                                                 has a minimum size of 4 GB.
Settings\Security
Settings\Event Log
Computer                   Maximum system log size         Not Defined   16384 kilobytes    CCE-735   Specifies the maximum size of the system event log, which
Configuration\Windows                                                                                 has a maximum size of 4 GB.
Settings\Security
Settings\Event Log
Computer                   Prevent local guests group      Not Defined   (Not Applicable)   CCE-299   Determines if guests are prevented from accessing the
Configuration\Windows      from accessing application                                                 application event log.

Settings\Security          log
Settings\Event Log
Computer                   Prevent local guests group      Not Defined   (Not Applicable)   CCE-462   Determines if guests are prevented from accessing the
Configuration\Windows      from accessing security log                                                security event log.
Settings\Security
Settings\Event Log
Computer                Prevent local guests group   Not Defined   (Not Applicable)   CCE-726   Determines if guests are prevented from accessing the
Configuration\Windows   from accessing system log                                               system event log.
Settings\Security
Settings\Event Log
Computer                Retain application log       Not Defined   Not Defined        CCE-951   Determines the number of days' worth of events to be
Configuration\Windows                                                                           retained for the log if the retention method for the application
                                                                                                log is "By Days." Set this value only if you archive the log at
Settings\Security                                                                               scheduled intervals and you make sure that the Maximum log
Settings\Event Log                                                                              size is large enough to accommodate the interval.


Computer                Retain security log          Not Defined   Not Defined        CCE-682   Determines the number of days' worth of events to be
Configuration\Windows                                                                           retained for the log if the retention method for the application
                                                                                                log is "By Days." Set this value only if you archive the log at
Settings\Security                                                                               scheduled intervals and you make sure that the Maximum log
Settings\Event Log                                                                              size is large enough to accommodate the interval.


Computer                Retain system log            Not Defined   Not Defined        CCE-210   Determines the number of days' worth of events to be
Configuration\Windows                                                                           retained for the log if the retention method for the application
                                                                                                log is "By Days." Set this value only if you archive the log at
Settings\Security                                                                               scheduled intervals and you make sure that the Maximum log
Settings\Event Log                                                                              size is large enough to accommodate the interval.


Computer                Retention method for         Not Defined   Not defined        CCE-285   Determines the "wrapping" method for the application log. If
Configuration\Windows   application log                                                         you do not archive the application log, in the Properties dialog
                                                                                                box for this policy, select the Define this policy setting check
Settings\Security                                                                               box, and then click Overwrite events as needed.
Settings\Event Log                                                                              If you archive the log at scheduled intervals, in the Properties
                                                                                                dialog box for this policy, select the Define this policy setting
                                                                                                check box, and then click Overwrite events by days and
                                                                                                specify the appropriate number of days in the "Retain
                                                                                                application log" setting. Make sure that the Maximum
                                                                                                application log size is large enough to accommodate the
                                                                                                interval.
                                                                                                If you must retain all the events in the log, in the Properties
                                                                                                dialog box for this policy, select the Define this policy setting
                                                                                                check box, and then click Do not overwrite events (clear log
                                                                                                manually). This option requires that the log be cleared
                                                                                                manually. In this case, when the maximum log size is reached,
                                                                                                new events are discarded.
                                                                                                Default: None.




Computer                Retention method for         Not Defined   Not defined        CCE-523   Determines the "wrapping" method for the security log. If you
Configuration\Windows   security log                                                            do not archive the application log, in the Properties dialog box
                                                                                                for this policy, select the Define this policy setting check box,
Settings\Security                                                                               and then click Overwrite events as needed.
Settings\Event Log                                                                              If you archive the log at scheduled intervals, in the Properties
                                                                                                dialog box for this policy, select the Define this policy setting
                                                                                                check box, and then click Overwrite events by days and
                                                                                                specify the appropriate number of days in the "Retain
                                                                                                application log" setting. Make sure that the Maximum
                                                                                                application log size is large enough to accommodate the
                                                                                                interval.
                                                                                                If you must retain all the events in the log, in the Properties
                                                                                                dialog box for this policy, select the Define this policy setting
                                                                                                check box, and then click Do not overwrite events (clear log
                                                                                                manually). This option requires that the log be cleared
                                                                                                manually. In this case, when the maximum log size is reached,
                                                                                                new events are discarded.
                                                                                                Default: None.
Computer                Retention method for system Not Defined     Not defined           CCE-664   Determines the "wrapping" method for the system log. If you
Configuration\Windows   log                                                                         do not archive the application log, in the Properties dialog box
                                                                                                    for this policy, select the Define this policy setting check box,
Settings\Security                                                                                   and then click Overwrite events as needed.
Settings\Event Log                                                                                  If you archive the log at scheduled intervals, in the Properties
                                                                                                    dialog box for this policy, select the Define this policy setting
                                                                                                    check box, and then click Overwrite events by days and
                                                                                                    specify the appropriate number of days in the "Retain
                                                                                                    application log" setting. Make sure that the Maximum
                                                                                                    application log size is large enough to accommodate the
                                                                                                    interval.
                                                                                                    If you must retain all the events in the log, in the Properties
                                                                                                    dialog box for this policy, select the Define this policy setting
                                                                                                    check box, and then click Do not overwrite events (clear log
                                                                                                    manually). This option requires that the log be cleared
                                                                                                    manually. In this case, when the maximum log size is reached,
                                                                                                    new events are discarded.
                                                                                                    Default: None.




Computer                %SystemRoot%               Not Configured   Administators: Full   CCE-997   Permission to execute and read removed from Users
Configuration\Windows   \system32\rcp.exe                           System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%               Not Configured   Administators: Full   CCE-547   Permission to execute and read removed from Users
Configuration\Windows   \system32\reg.exe                           System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%               Not Configured   Administators: Full   CCE-865   Permission to execute and read removed from Users
Configuration\Windows   \system32\regedt32.exe                      System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\regedit.exe Not Configured     Administators: Full   CCE-795   Permission to execute and read removed from Users
Configuration\Windows                                               System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\a Not Configured      Administators: Full   CCE-600   Permission to execute and read removed from Users
Configuration\Windows   rp.exe                                      System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\a Not Configured      Administators: Full   CCE-393   Permission to execute and read removed from Users
Configuration\Windows   t.exe                                       System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\a Not Configured      Administators: Full   CCE-166   Permission to execute and read removed from Users
Configuration\Windows   ttrib.exe                                   System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\c Not Configured      Administators: Full   CCE-977   Permission to execute and read removed from Users
Configuration\Windows   acls.exe                                    System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\d Not Configured      Administators: Full   CCE-201   Permission to execute and read removed from Users
Configuration\Windows   ebug.exe                                    System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\e Not Configured      Administators: Full   CCE-20    Permission to execute and read removed from Users
Configuration\Windows   dlin.exe                                    System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\e Not Configured    Administators: Full     CCE-489    Permission to execute and read removed from Users
Configuration\Windows   ventcreate.exe                            System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\e Not Configured    Administators: Full     CCE-917    Permission to execute and read removed from Users
Configuration\Windows   venttriggers.exe                          System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\   Not Configured   Administators: Full     CCE-1225   Permission to execute and read given to Users
Configuration\Windows   mshta.exe                                 System: Full
Settings\Security                                                 Users: Read & Execute
Settings\File System
Computer                %SystemRoot%\system32\n Not Configured    Administators: Full     CCE-731    Permission to execute and read removed from Users
Configuration\Windows   et.exe                                    System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\n Not Configured    Administators: Full     CCE-607    Permission to execute and read removed from Users
Configuration\Windows   et1.exe                                   System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\n Not Configured    Administators: Full     CCE-158    Permission to execute and read removed from Users
Configuration\Windows   etsh.exe                                  System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\r Not Configured    Administators: Full     CCE-543    Permission to execute and read removed from Users
Configuration\Windows   egini.exe                                 System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\r Not Configured    Administators: Full     CCE-657    Permission to execute and read removed from Users
Configuration\Windows   egsvr32.exe                               System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\r Not Configured    Administators: Full     CCE-274    Permission to execute and read removed from Users
Configuration\Windows   exec.exe                                  System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\r Not Configured    Administators: Full     CCE-168    Permission to execute and read removed from Users
Configuration\Windows   oute.exe                                  System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\r Not Configured    Administators: Full     CCE-353    Permission to execute and read removed from Users
Configuration\Windows   sh.exe                                    System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\s Not Configured    Administators: Full     CCE-516    Permission to execute and read removed from Users
Configuration\Windows   c.exe                                     System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\System32\s Not Configured    Administators: Full     CCE-922    Permission to execute and read removed from Users
Configuration\Windows   ecedit.exe                                System: Full
Settings\Security
Settings\File System
Computer                %SystemRoot%\system32\s Not Configured    Administators: Full     CCE-921    Permission to execute and read removed from Users
Configuration\Windows   ubst.exe                                  System: Full
Settings\Security
Settings\File System
Computer                        %SystemRoot%\System32\s Not Configured     Administators: Full   CCE-225     Permission to execute and read removed from Users
Configuration\Windows           ysteminfo.exe                              System: Full
Settings\Security
Settings\File System
Computer                        %SystemRoot%\system32\tf Not Configured    Administators: Full   CCE-348     Permission to execute and read removed from Users
Configuration\Windows           tp.exe                                     System: Full
Settings\Security
Settings\File System
Computer                        %SystemRoot%\system32\tl Not Configured    Administators: Full   CCE-718     Permission to execute and read removed from Users
Configuration\Windows           ntsvr.exe                                  System: Full
Settings\Security
Settings\File System
Computer                        Audit account logon events   Not Defined   Success, Failure      CCE-2628,   Determines whether to audit each instance of a user logging
Configuration\Windows                                                                            CCE-2543    on to or logging off from another computer in which this
                                                                                                             computer is used to validate the account.
Settings\Security                                                                                            If you define this policy setting, you can specify whether to
Settings\Local Policies\Audit                                                                                audit successes, audit failures, or not audit the event type at
Policy                                                                                                       all. Success audits generate an audit entry when an account
                                                                                                             logon attempt succeeds. Failure audits generate an audit
                                                                                                             entry when an account logon attempt fails. To set this value to
                                                                                                             no auditing, in the Properties dialog box for this policy setting,
                                                                                                             select the Define these policy settings check box and clear
                                                                                                             the Success and Failure check boxes.
                                                                                                             If success auditing for account logon events is enabled on a
                                                                                                             domain controller, an entry is logged for each user who is
                                                                                                             validated against that domain controller, even though the user
                                                                                                             is actually logging on to a workstation that is joined to the
                                                                                                             domain.



Computer                      Audit account management       Not Defined   Success, Failure      CCE-2000,   Determines whether to audit each event of account
Configuration\Windows                                                                            CCE-1646    management on a computer. Examples of account
                                                                                                             management events include the following:
Settings\Security                                                                                            • A user account or group is created, changed, or deleted.
Settings\Local Policies\Audit                                                                                • A user account is renamed, disabled, or enabled.
Policy                                                                                                       • A password is set or changed.
                                                                                                             If you define this policy setting, you can specify whether to
                                                                                                             audit successes, audit failures, or not audit the event type at
                                                                                                             all. Success audits generate an audit entry when any account
                                                                                                             management event succeeds. Failure audits generate an
                                                                                                             audit entry when any account management event fails. To set
                                                                                                             this value to no auditing, in the Properties dialog box for this
                                                                                                             policy setting, select the Define these policy settings check
                                                                                                             box and clear the Success and Failure check boxes.
Computer                      Audit directory service   Not Defined   Failure            CCE-2118,   Determines whether to audit the event of a user accessing an
Configuration\Windows         access                                                     CCE-2390    Active Directory object that has its own system access control
                                                                                                     list (SACL) specified.
Settings\Security                                                                                    By default, this value is set to no auditing in the Default
Settings\Local Policies\Audit                                                                        Domain Controller Group Policy object (GPO), and it remains
Policy                                                                                               undefined for workstations and servers where it has no
                                                                                                     meaning.
                                                                                                     If you define this policy setting, you can specify whether to
                                                                                                     audit successes, audit failures, or not audit the event type at
                                                                                                     all. Success audits generate an audit entry when a user
                                                                                                     successfully accesses an Active Directory object that has a
                                                                                                     SACL specified. Failure audits generate an audit entry when a
                                                                                                     user unsuccessfully attempts to access an Active Directory
                                                                                                     object that has a SACL specified. To set this value to no
                                                                                                     auditing, in the Properties dialog box for this policy setting,
                                                                                                     select the Define these policy settings check box and clear
                                                                                                     the Success and Failure check boxes. Note that you can set a
                                                                                                     SACL on an Active Directory object by using the Security tab
                                                                                                     in that object's Properties dialog box. This is the same as
                                                                                                     Audit object access, except that it applies only to Active
                                                                                                     Directory objects and not to file system and registry objects.



Computer                      Audit logon events        Not Defined   Success, Failure   CCE-1686,   Determines whether to audit each instance of a user logging
Configuration\Windows                                                                    CCE-1744    on to, logging off from, or making a network connection to this
                                                                                                     computer.``If you are logging successful Audit account logon
Settings\Security                                                                                    events on a domain controller, workstation logon attempts do
Settings\Local Policies\Audit                                                                        not generate logon audits. Only interactive and network logon
Policy                                                                                               attempts to the domain controller itself generate logon events.
                                                                                                     In short, "account logon events" are generated where the
                                                                                                     account lives; "logon events" are generated where the logon
                                                                                                     attempt occurs.
                                                                                                     If you define this policy setting, you can specify whether to
                                                                                                     audit successes, audit failures, or not audit the event type at
                                                                                                     all. Success audits generate an audit entry when a logon
                                                                                                     attempt succeeds. Failure audits generate an audit entry
                                                                                                     when a logon attempt fails. To set this value to no auditing, in
                                                                                                     the Properties dialog box for this policy setting, select the
                                                                                                     Define these policy settings check box and clear the Success
                                                                                                     and Failure check boxes.




Computer                      Audit object access       Not Defined   Failure            CCE-2640,   Determines whether to audit the event of a user accessing an
Configuration\Windows                                                                    CCE-1991    object--for example, a file, folder, registry key, printer, and so
                                                                                                     forth--that has its own system access control list (SACL)
Settings\Security                                                                                    specified.
Settings\Local Policies\Audit                                                                        If you define this policy setting, you can specify whether to
Policy                                                                                               audit successes, audit failures, or not audit the event type at
                                                                                                     all. Success audits generate an audit entry when a user
                                                                                                     successfully accesses an object that has a SACL specified.
                                                                                                     Failure audits generate an audit entry when a user
                                                                                                     unsuccessfully attempts to access an object that has a SACL
                                                                                                     specified. To set this value to no auditing, in the Properties
                                                                                                     dialog box for this policy setting, select the Define these policy
                                                                                                     settings check box and clear the Success and Failure check
                                                                                                     boxes.
                                                                                                     Note that you can set a SACL on a file system object using
                                                                                                     the Security tab in that object's Properties dialog box.
Computer                      Audit policy change      Not Defined   Success       CCE-2412,   Determines whether to audit every incidence of a change to
Configuration\Windows                                                              CCE-2347    user rights assignment policies, audit policies, or trust
                                                                                               policies. If you define this policy setting, you can specify
Settings\Security                                                                              whether to audit successes, audit failures, or not audit the
Settings\Local Policies\Audit                                                                  event type at all. Success audits generate an audit entry when
Policy                                                                                         a change to user rights assignment policies, audit policies, or
                                                                                               trust policies is successful. Failure audits generate an audit
                                                                                               entry when a change to user rights assignment policies, audit
                                                                                               policies, or trust policies fails. To set this value to no auditing,
                                                                                               in the Properties dialog box for this policy setting, select the
                                                                                               Define these policy settings check box and clear the Success
                                                                                               and Failure check boxes.


Computer                      Audit privilege use      Not Defined   Failure       CCE-2431,   Determines whether to audit each instance of a user
Configuration\Windows                                                              CCE-2584    exercising a user right. If you define this policy setting, you
                                                                                               can specify whether to audit successes, audit failures, or not
Settings\Security                                                                              audit the event type at all. Success audits generate an audit
Settings\Local Policies\Audit                                                                  entry when the exercise of a user right succeeds. Failure
Policy                                                                                         audits generate an audit entry when the exercise of a user
                                                                                               right fails. To set this value to no auditing, in the Properties
                                                                                               dialog box for this policy setting, select the Define these policy
                                                                                               settings check box and clear the Success and Failure check
                                                                                               boxes.
                                                                                               Default: Audits are not generated for use of the following user
                                                                                               rights, even if success audits or failure audits are specified for
                                                                                               "Audit privilege use”:
                                                                                               -Bypass traverse checking
                                                                                               -Debug programs
                                                                                               -Create a token object
                                                                                               -Replace process level token
                                                                                               -Generate security audits
                                                                                               -Back up files and directories
                                                                                               -Restore files and directories



Computer                      Audit process tracking   Not Defined   No auditing   CCE-2529,   Determines whether to audit detailed tracking information for
Configuration\Windows                                                              CCE-2617    events such as program activation, process exit, handle
                                                                                               duplication, and indirect object access. If you define this
Settings\Security                                                                              policy setting, you can specify whether to audit successes,
Settings\Local Policies\Audit                                                                  audit failures, or not audit the event type at all. Success audits
Policy                                                                                         generate an audit entry when the process being tracked
                                                                                               succeeds. Failure audits generate an audit entry when the
                                                                                               process being tracked fails. To set this value to no auditing, in
                                                                                               the Properties dialog box for this policy setting, select the
                                                                                               Define these policy settings check box and clear the Success
                                                                                               and Failure check boxes.


Computer                      Audit system events      Not Defined   Success       CCE-2420,   Determines whether to audit when a user restarts or shuts
Configuration\Windows                                                              CCE-1680    down the computer or when an event occurs that affects
                                                                                               either the system security or the security log. If you define
Settings\Security                                                                              this policy setting, you can specify whether to audit
Settings\Local Policies\Audit                                                                  successes, audit failures, or not audit the event type at all.
Policy                                                                                         Success audits generate an audit entry when a system event
                                                                                               is executed successfully. Failure audits generate an audit
                                                                                               entry when a system event is attempted unsuccessfully. To
                                                                                               set this value to no auditing, in the Properties dialog box for
                                                                                               this policy setting, select the Define these policy settings
                                                                                               check box and clear the Success and Failure
Computer                    Accounts: Administrator   Disabled        Enabled         CCE-499                              Determines whether the Administrator account is enabled or
Configuration\Windows       account status                                                                                 disabled under normal operation. Under safe mode boot, the
                                                                                                                           Administrator account is always enabled, regardless of this
Settings\Security                                                                                                          setting. When a computer is booted into safe mode, the
Settings\Local                                                                                                             Administrator account is always enabled, regardless of how
Policies\Security Options                                                                                                  this setting is configured.
                                                                                                                           Notes for Vista: the built-in Administrator Account is disabled
                                                                                                                           by default.
                                                                                                                           Notes for XP:
                                                                                                                           -If you try to re-enable the Administrator account after it has
                                                                                                                           been disabled, and if the current Administrator password does
                                                                                                                           not meet the password requirements, you cannot re-enable
                                                                                                                           the account. In this case, an alternative member of the
                                                                                                                           Administrators group must set the password on the
                                                                                                                           Administrator account by using the Local Users and Groups
                                                                                                                           user interface.
                                                                                                                           -Disabling the Administrator account for Windows XP can
                                                                                                                           become a maintenance issue under certain circumstances.
                                                                                                                           For example, in a domain environment, if the secure channel
                                                                                                                           that constitutes your join fails for any reason, and there is no
                                                                                                                           other local Administrator account, you must restart in safe
                                                                                                                           mode to fix the problem that is causing your join status to be
                                                                                                                           broken.


Computer                    Accounts: Guest account   Disabled        Disabled        CCE-332                              Determines if the Guest account is enabled or disabled.
Configuration\Windows       status                                                                                         Note
                                                                                                                           -If the Guest account is disabled and the security option
Settings\Security                                                                                                          "Network Access: Sharing and Security Model" is set to
Settings\Local                                                                                                             "Guest only," network logons, such as those performed by the
Policies\Security Options                                                                                                  Microsoft Network Server (SMB Service), will fail.


Computer                    Accounts: Limit local      Enabled        Enabled         CCE-533   MACHINE\System\Curre       Determines whether remote interactive logons by network
Configuration\Windows       account use of blank                                                ntControlSet\Control\Lsa   services such as Terminal Services, Telnet, and FTP are
                                                                                                                           allowed for local accounts that have blank passwords. If this
Settings\Security           passwords to console logon                                          \LimitBlankPasswordUse     setting is enabled, a local account must have a nonblank
Settings\Local              only                                                                                           password to be used to perform an interactive logon from a
Policies\Security Options                                                                                                  remote client.
                                                                                                                            Note
                                                                                                                           -This setting does not affect interactive logons performed
                                                                                                                           physically at the console.
                                                                                                                           -This setting does not affect logons that use domain accounts.
                                                                                                                           -It is possible for applications that use remote interactive
                                                                                                                           logons to bypass this setting


Computer                    Accounts: Rename          Renamed_Admin   Renamed_Admin   CCE-438                              Determines whether a different account name is associated
Configuration\Windows       administrator account                                                                          with the security identifier (SID) for the account
                                                                                                                           "Administrator." Because the Administrator account is known
Settings\Security                                                                                                          to exist on all Windows 2000 Server, Windows 2000
Settings\Local                                                                                                             Professional, and Windows XP Professional computers,
Policies\Security Options                                                                                                  renaming the account makes it slightly more difficult for
                                                                                                                           unauthorized persons to guess this privileged user name and
                                                                                                                           password combination.

Computer                    Accounts: Rename guest    Renamed_Guest   Renamed_Guest   CCE-834                              Determines whether a different account name is associated
Configuration\Windows       account                                                                                        with the security identifier (SID) for the account "Guest."
                                                                                                                           Because the Guest account is known to exist on all Windows
Settings\Security                                                                                                          2000 Server, Windows 2000 Professional, and Windows XP
Settings\Local                                                                                                             Professional computers, renaming the account makes it
Policies\Security Options                                                                                                  slightly more difficult for unauthorized persons to guess this
                                                                                                                           user name and password combination.
                                                                                                                           Default: Guest.]
Computer                    Audit: Audit the accesss of    Disabled   Disabled           CCE-2     MACHINE\System\Curre       Determines whether to audit the access of global system
Configuration\Windows       global system objects                                                  ntControlSet\Control\Lsa   objects.
                                                                                                                              If this policy is enabled, it causes system objects, such as
Settings\Security                                                                                  \AuditBaseObjects          mutexes, events, semaphores, and DOS devices, to be
Settings\Local                                                                                                                created with a default system access control list (SACL). If the
Policies\Security Options                                                                                                     Audit object access audit policy is also enabled, access to
                                                                                                                              these system objects is audited.

Computer                    Audit: Audit the use of        Disabled   Disabled           CCE-905   MACHINE\System\Curre       Determines whether to audit the use of all user privileges,
Configuration\Windows       Backup and Restore                                                     ntControlSet\Control\Lsa   including Backup and Restore, when the Audit privilege use
                                                                                                                              policy is in effect. Enabling this option when the "Audit
Settings\Security           privilege                                                              \FullPrivilegeAuditing     privilege use" policy is also enabled generates an audit event
Settings\Local                                                                                                                for every file that is backed up or restored.
Policies\Security Options                                                                                                     If you enable this policy, and if the "Audit privilege use" policy
                                                                                                                              is enabled and in effect, any instance of user rights being
                                                                                                                              exercised is recorded in the security log.
                                                                                                                              If you disable this policy, when users use Backup or Restore
                                                                                                                              privileges, those events are not audited, even when "Audit
                                                                                                                              privilege use" is enabled.


Computer                    Audit: Force audit policy      Enabled    (Not Applicable)   CCE-111   MACHINE\System\Curre       Windows Vista and later versions of Windows allow audit
Configuration\Windows       subcategory settings                                                   ntControlSet\Control\Lsa   policy to be managed in a more precise way by using audit
                                                                                                                              policy subcategories. Setting audit policy at the category level
Settings\Security           (Windows Vista or later) to                                            \SCENoApplyLegacyAud       will override the new subcategory audit policy feature. A new
Settings\Local              override audit policy                                                  itPolicy                   registry value introduced in Windows Vista,
Policies\Security Options   category settings                                                                                 SCENoApplyLegacyAuditPolicy, allows audit policy to be
                                                                                                                              managed by using subcategories without requiring a change
                                                                                                                              to Group Policy. This registry value can be set to prevent the
                                                                                                                              application of category-level audit policy from Group Policy
                                                                                                                              and from the Local Security Policy administrative tool. If the
                                                                                                                              category-level audit policy on a computer is not consistent
                                                                                                                              with the events being generated, the cause might be that this
                                                                                                                              registry key is set.
                                                                                                                              Default: Disabled.


Computer                    Audit: Shut down system        Disabled   Disabled           CCE-92    MACHINE\System\Curre       Determines whether the system shuts down if it is unable to
Configuration\Windows       immediately if unable to log                                           ntControlSet\Control\Lsa   log security events.
                                                                                                                              If this policy is enabled, it causes the system to stop if a
Settings\Security           security audits                                                        \CrashOnAuditFail          security audit cannot be logged for any reason. Typically, an
Settings\Local                                                                                                                event fails to be logged when the security audit log is full and
Policies\Security Options                                                                                                     the retention method that is specified for the security log is
                                                                                                                              either "Do Not Overwrite Events" or "Overwrite Events by
                                                                                                                              Days." If the security log is full and an existing entry cannot be
                                                                                                                              overwritten, and this security option is enabled, the following
                                                                                                                              Stop error appears: "STOP: C0000244 {Audit Failed}
                                                                                                                              An attempt to generate a security audit failed." To recover, an
                                                                                                                              administrator must log on, archive the log (optional), clear the
                                                                                                                              log, and reset this option as desired.
                                                                                                                              Default: Disabled.
                                                                                                                              Registry Key:
                                                                                                                              HKLM\System\CurrentControlSet\Lsa\CrashUponAudit
                                                                                                                              Note: By design, when this setting is Enabled, under certain
                                                                                                                              conditions (such as auditing failing for any reason at all)
                                                                                                                              blocks everyone except Administrators from logging in. This
                                                                                                                              includes local user accounts and domain user accounts,
                                                                                                                              standalone systems and members of a domain. Error
                                                                                                                              message received by normal users upon trying to logon is:
                                                                                                                              “Your account is configured to prevent you from using this
                                                                                                                              computer. Please try another computer.”
Computer                    DCOM: Machine Access         Not Defined                   Not defined                   CCE-458   MACHINE\SOFTWARE\          Controls DCOM Access. Many COM applications include
Configuration\Windows       Restrictions in Security                                                                           policies\Microsoft\windo   some security-specific code (for example, calling
                                                                                                                                                          CoInitializeSecurity), but use weak settings, often allowing
Settings\Security           Descriptor Definition                                                                              ws                         unauthenticated access to the process. COM infrastructure
Settings\Local              Language (SDDL) syntax                                                                             NT\DCOM\MachineAcce        includes the RPCSS, a system service that runs during
Policies\Security Options                                                                                                      ssRestriction              system startup and always runs after that. It manages
                                                                                                                                                          activation of COM objects and the running object table and
                                                                                                                                                          provides helper services to DCOM remoting. It exposes RPC
                                                                                                                                                          interfaces that can be called remotely. Because some COM
                                                                                                                                                          servers allow unauthenticated remote access, these
                                                                                                                                                          interfaces can be called by anyone, including unauthenticated
                                                                                                                                                          users. As a result, RPCSS can be attacked by malicious
                                                                                                                                                          users on remote, unauthenticated computers.

                                                                                                                                                          In earlier versions of Windows, there was no way for an
                                                                                                                                                          administrator to understand the exposure level of the COM
                                                                                                                                                          servers on a computer. An administrator got an idea of the
                                                                                                                                                          exposure level by systematically checking the configured
                                                                                                                                                          security settings for all the registered COM applications on the
                                                                                                                                                          computer, but, given that there are about 150 COM servers in
                                                                                                                                                          a default installation of Windows, that task was daunting.
                                                                                                                                                          There was no way to view the settings for a server that
                                                                                                                                                          incorporates security in the software, short of reviewing the
                                                                                                                                                          source code for that software. DCOM computer-wide
                                                                                                                                                          restrictions mitigate these three problems. It also gives an
                                                                                                                                                          administrator the capability to disable incoming DCOM
Computer                    DCOM: Machine Launch         Not Defined                   Not Defined                   CCE-740   MACHINE\SOFTWARE\          Controls DCOM Launch Permissions. Many COM applications
Configuration\Windows       Restrictions in Security                                                                           policies\Microsoft\windo   include some security-specific code (for example, calling
                                                                                                                                                          CoInitializeSecurity), but use weak settings, often allowing
Settings\Security           Descriptor Definition                                                                              ws                         unauthenticated access to the process. COM infrastructure
Settings\Local              Language (SDDL) syntax                                                                             NT\DCOM\MachineLaun        includes the RPCSS, a system service that runs during
Policies\Security Options                                                                                                      chRestriction              system startup and always runs after that. It manages
                                                                                                                                                          activation of COM objects and the running object table and
                                                                                                                                                          provides helper services to DCOM remoting. It exposes RPC
                                                                                                                                                          interfaces that can be called remotely. Because some COM
                                                                                                                                                          servers allow unauthenticated remote access, these
                                                                                                                                                          interfaces can be called by anyone, including unauthenticated
                                                                                                                                                          users. As a result, RPCSS can be attacked by malicious
                                                                                                                                                          users on remote, unauthenticated computers.

                                                                                                                                                          In earlier versions of Windows, there was no way for an
                                                                                                                                                          administrator to understand the exposure level of the COM
                                                                                                                                                          servers on a computer. An administrator got an idea of the
                                                                                                                                                          exposure level by systematically checking the configured
                                                                                                                                                          security settings for all the registered COM applications on the
                                                                                                                                                          computer, but, given that there are about 150 COM servers in
                                                                                                                                                          a default installation of Windows, that task was daunting.
                                                                                                                                                          There was no way to view the settings for a server that
                                                                                                                                                          incorporates security in the software, short of reviewing the
                                                                                                                                                          source code for that software. DCOM computer-wide
                                                                                                                                                          restrictions mitigate these three problems. It also gives an
                                                                                                                                                          administrator the capability to disable incoming DCOM
                                                                                                                                                          activation, launch, and calls. You can change the
Computer                    Devices: Allow undock        Not Defined                   Not Defined                   CCE-186   MACHINE\Software\Micr      Forces user to log on in order to undock a computer.
Configuration\Windows       without having to log on                                                                           osoft\Windows\CurrentV     Note: Only certain docking hardware enforces this; not all
                                                                                                                                                          hardware would block undocking without logging in.
Settings\Security                                                                                                              ersion\Policies\System\U
Settings\Local                                                                                                                 ndockWithoutLogon
Policies\Security Options
Computer                    Devices: Allowed to format   Administrators, Interactive   Administrators, Interactive   CCE-919   MACHINE\Software\Micr      Determines who is allowed to format and eject removable
Configuration\Windows       and eject removable media    Users                         Users                                   osoft\Windows              NTFS media. This capability can be given to Administrators,
                                                                                                                                                          Administrators and Power Users, or Administrators and
Settings\Security                                                                                                              NT\CurrentVersion\Winl     Interactive Users.
Settings\Local                                                                                                                 ogon\AllocateDASD          Default: Administrators.
Policies\Security Options
Computer                    Devices: Prevent users from Disabled     Disabled   CCE-402   MACHINE\System\Curre        For a computer to print to a network printer, the driver for that
Configuration\Windows       installing printer drivers                                    ntControlSet\Control\Prin   network printer must be installed on the local computer. This
                                                                                                                      security setting determines who is allowed to install a printer
Settings\Security                                                                         t\Providers\LanMan Print    driver as part of adding a network printer. If this setting is
Settings\Local                                                                            Services\Servers\AddPri     enabled, only Administrators and Power Users can install a
Policies\Security Options                                                                 nterDrivers                 printer driver as part of adding a network printer. If this setting
                                                                                                                      is disabled, any user can install a printer driver as part of
                                                                                                                      adding a network printer. This setting can be used to prevent
                                                                                                                      unprivileged users from downloading and installing an
                                                                                                                      untrusted printer driver.
                                                                                                                      Default: Enabled on servers, Disabled on workstations.
                                                                                                                       Note:
                                                                                                                      -If an administrator has configured a trusted path for
                                                                                                                      downloading drivers, this setting has no impact. When trusted
                                                                                                                      paths are used, the print subsystem attempts to use the
                                                                                                                      trusted path to download the driver. If the trusted path
                                                                                                                      download succeeds, the driver is installed on behalf of any
                                                                                                                      user. If the trusted path download fails, the driver is not
                                                                                                                      installed and the network printer cannot be added.
                                                                                                                      -If this setting is enabled, but the driver for a network printer
                                                                                                                      already exists on the local machine, users can still add the
                                                                                                                      network printer.
                                                                                                                      -This setting does not affect the ability of an administrator to
                                                                                                                      add a local printer.

                                                                                                                      Note: To address concern about kernel-mode printer drivers:
                                                                                                                      Use Group Policy:
                                                                                                                      Administrative Templates/Printers/Disallow installation of
                                                                                                                      printers using kernel-mode printer drivers: Determines
Computer                    Devices: Restrict CD-ROM      Disabled   Disabled   CCE-565   MACHINE\Software\Micr       Determines whether a CD-ROM is accessible to both local
Configuration\Windows       access to locally logged-on                                   osoft\Windows               and remote users simultaneously.
                                                                                                                      If this policy is enabled, it allows only the interactively logged-
Settings\Security           user only                                                     NT\CurrentVersion\Winl      on user to access removable CD-ROM media. If this policy is
Settings\Local                                                                            ogon\AllocateCDRoms         enabled and no one is logged on interactively, a shared CD-
Policies\Security Options                                                                                             ROM drive can still be accessed over the network.
                                                                                                                      Default: Disabled.

                                                                                                                      Note: When enabled, it has been reported that this policy
                                                                                                                      blocks any MSI installation launched from the CD. Error
                                                                                                                      number 1311 occurs. The MSI installation is successful if the
                                                                                                                      installation files are copied to the local hard drive and
                                                                                                                      launched from there, or if the policy is disabled. There are
                                                                                                                      reports this can also affect CD burning.




Computer                    Devices: Restrict floppy      Disabled   Disabled   CCE-463   MACHINE\Software\Micr       Determines whether removable floppy media are accessible
Configuration\Windows       access to locally logged-on                                   osoft\Windows               to both local and remote users simultaneously.
                                                                                                                      If this policy is enabled, it allows only the interactively logged-
Settings\Security           user only                                                     NT\CurrentVersion\Winl      on user to access removable floppy media. If this policy is
Settings\Local                                                                            ogon\AllocateFloppies       enabled and no one is logged on interactively, the floppy can
Policies\Security Options                                                                                             be accessed over the network.
Computer                    Devices: Unsigned driver    (Not Applicable)   Do not allow installation   CCE-413   MACHINE\Software\Micr      Determines what happens when an attempt is made to install
Configuration\Windows       installation behavior                                                                osoft\Driver               a device driver (by means of Setup API) that has not been
                                                                                                                                            certified by the Windows Hardware Quality Lab (WHQL).
Settings\Security                                                                                                Signing\Policy             The options are:
Settings\Local                                                                                                                              -Silently succeed
Policies\Security Options                                                                                                                   -Warn but allow installation
                                                                                                                                            -Do not allow installation
                                                                                                                                            Default: Warn but allow installation.

                                                                                                                                            Note: When set to Do Not Allow, if certificates are not
                                                                                                                                            updated on desktops regularly, a customer can get trapped in
                                                                                                                                            a situation where key driver updates will not be allowed to
                                                                                                                                            install since the certificates installed locally have expired.
                                                                                                                                            Without a healthy Certificate Server structure and regular
                                                                                                                                            communications between administrators and package
                                                                                                                                            builders, blocking unsigned driver installations can be a
                                                                                                                                            serious problem. Also, if set to Warn but Allow Installation,
                                                                                                                                            even unattended installations will be halted; the user will be
                                                                                                                                            informed when the digital certificate is not recognized, does
                                                                                                                                            he/she want to proceed--or, if hidden by the agent, never
                                                                                                                                            informed. If the user clicks No, the update (many updates are
                                                                                                                                            driver updates) or package never applies. This can impact
                                                                                                                                            SMS, WSUS, and other software delivery mechanisms if the
                                                                                                                                            certificates are not carefully managed.



Computer                    Domain controller: Allow     Not Defined       Not Defined                 CCE-257   MACHINE\System\Curre       Determines if Server Operators are allowed to submit jobs by
Configuration\Windows       server operators to schedule                                                         ntControlSet\Control\Lsa   means of the AT schedule facility.
                                                                                                                                            Default: This policy is not defined, which means that the
Settings\Security           tasks                                                                                \SubmitControl             system treats it as disabled.
Settings\Local                                                                                                                              Note: This security option only affects the AT schedule
Policies\Security Options                                                                                                                   facility; it does not affect the Task Scheduler facility.
Computer                    Domain controller: LDAP     (Not Applicable)   Not Defined                 CCE-710   MACHINE\System\Curre       This policy setting determines whether the LDAP server
Configuration\Windows       server signing requirements                                                          ntControlSet\Services\N    requires a signature before it will negotiate with LDAP clients.
                                                                                                                                            Network traffic that is neither signed nor encrypted is
Settings\Security                                                                                                TDS\Parameters\LDAPS       susceptible to man-in-the-middle attacks in which an intruder
Settings\Local                                                                                                   erverIntegrity             captures packets between the server and the client, modifies
Policies\Security Options                                                                                                                   them, and then forwards them to the client. For an LDAP
                                                                                                                                            server, an attacker could cause a client to make decisions
                                                                                                                                            that are based on false records from the LDAP directory. If all
                                                                                                                                            domain controllers run Windows 2000 or Windows Server
                                                                                                                                            2003, configure the Domain controller: LDAP server signing
                                                                                                                                            requirements setting to Require signing. Otherwise, leave this
                                                                                                                                            policy setting configured as Not defined, which is the DCBP
                                                                                                                                            configuration for the LC and EC environments. This policy
                                                                                                                                            setting is configured to Require signing in the DCBP for the
                                                                                                                                            SSLF environment because all computers in this environment
                                                                                                                                            run either Windows 2000 or Windows Server 2003.




Computer                    Domain controller: Refuse   (Not Applicable)   Not Defined                 CCE-490   MACHINE\System\Curre       Determines whether or not a Domain Controller will accept
Configuration\Windows       machine account password                                                             ntControlSet\Services\N    password change requests for computer accounts. If enabled
                                                                                                                                            on all Domain Controllers in a domain, then domain members
Settings\Security           changes                                                                              etlogon\Parameters\Refu    will not be able to change their machine account passwords
Settings\Local                                                                                                   sePasswordChange           leaving those passwords susceptible to attack.
Policies\Security Options
Computer                    Domain member: Digitally   Enabled    Enabled    CCE-549   MACHINE\System\Curre      Determines whether a secure channel can be established with
Configuration\Windows       encrypt or sign secure                                     ntControlSet\Services\N   a domain controller that is not capable of signing or encrypting
                                                                                                                 all secure channel traffic. If this setting is enabled, a secure
Settings\Security           channel data (always)                                      etlogon\Parameters\Req    channel cannot be established with any domain controller that
Settings\Local                                                                         uireSignOrSeal            cannot sign or encrypt all secure channel data. If this setting
Policies\Security Options                                                                                        is disabled, a secure channel can be established, but the level
                                                                                                                 of encryption and signing is negotiated.
                                                                                                                  Important
                                                                                                                 -For you to enable this setting on a member workstation or
                                                                                                                 server, all domain controllers in the domain that the member
                                                                                                                 belongs to must be capable of signing or encrypting all secure
                                                                                                                 channel data. This means that all such domain controllers
                                                                                                                 must be running Windows NT 4.0 with Service Pack 4 or
                                                                                                                 higher.
                                                                                                                 -For you to enable this setting on a domain controller, all
                                                                                                                 domain controllers in all trusting and trusted domains must be
                                                                                                                 capable of signing or encrypting all secure channel data. This
                                                                                                                 means that all such domain controllers must be running
                                                                                                                 Windows NT 4.0 with Service Pack 4 or higher.
                                                                                                                 -If this policy is enabled, the policy Domain member: Digitally
                                                                                                                 sign secure channel data (when possible) is automatically
                                                                                                                 enabled.


Computer                    Domain member: Digitally    Enabled   Enabled    CCE-161   MACHINE\System\Curre      If this setting is enabled, it ensures that all secure channel
Configuration\Windows       encrypt secure channel data                                ntControlSet\Services\N   traffic is encrypted if the partner domain controller is also
                                                                                                                 capable of encrypting all secure channel traffic.
Settings\Security           (when possible)                                            etlogon\Parameters\Seal   Note: There is no known reason for disabling this setting.
Settings\Local                                                                         SecureChannel             Besides unnecessarily reducing the potential confidentiality
Policies\Security Options                                                                                        level of the secure channel, disabling this setting may
                                                                                                                 unnecessarily reduce secure channel throughput, because
                                                                                                                 concurrent API calls that use the secure channel are only
                                                                                                                 possible when the secure channel is signed or encrypted.



Computer                    Domain member: Digitally   Enabled    Enabled    CCE-918   MACHINE\System\Curre      If this setting is enabled, it ensures that all secure channel
Configuration\Windows       sign secure channel data                                   ntControlSet\Services\N   traffic is signed if the partner domain controller is also capable
                                                                                                                 of signing all secure channel traffic.
Settings\Security           (when possible)                                            etlogon\Parameters\Sign    Note: There is no known reason for disabling this setting.
Settings\Local                                                                         SecureChannel             Besides unnecessarily reducing the potential integrity level of
Policies\Security Options                                                                                        the secure channel, disabling this setting may unnecessarily
                                                                                                                 reduce secure channel throughput, because concurrent API
                                                                                                                 calls that use the secure channel are only possible when the
                                                                                                                 secure channel is signed or encrypted.


Computer                    Domain member: Disable     Disabled   Disabled   CCE-831   MACHINE\System\Curre      Determines whether a domain member periodically changes
Configuration\Windows       machine account password                                   ntControlSet\Services\N   its computer account password. If this setting is enabled, the
                                                                                                                 domain member does not attempt to change its computer
Settings\Security           changes                                                    etlogon\Parameters\Disa   account password. If this setting is disabled, the domain
Settings\Local                                                                         blePasswordChange         member attempts to change its computer account password
Policies\Security Options                                                                                        as specified by the setting for "Domain Member: Maximum
                                                                                                                 age for machine account password," which by default is every
                                                                                                                 30 days.
                                                                                                                  Note:
                                                                                                                 -This setting should not be enabled. Computer account
                                                                                                                 passwords are used to establish secure channel
                                                                                                                 communications between members and domain controllers
                                                                                                                 and, within the domain, between the domain controllers
                                                                                                                 themselves. Once it is established, the secure channel is
                                                                                                                 used to transmit sensitive information that is necessary for
                                                                                                                 making authentication and authorization decisions.
                                                                                                                 -This setting should not be used in an attempt to support dual-
                                                                                                                 boot scenarios that use the same computer account. If you
                                                                                                                 want to dual-boot two installations that are joined to the same
                                                                                                                 domain, give the two installations different computer names.
Computer                    Domain member: Maximum 30 Days         30 Days    CCE-194   MACHINE\System\Curre Determines the maximum allowable age for a computer
Configuration\Windows       machine account password                                    ntControlSet\Services\N account password.
Settings\Security           age                                                         etlogon\Parameters\Maxi
Settings\Local                                                                          mumPasswordAge
Policies\Security Options
Computer                    Domain member: Require      Enabled    Enabled    CCE-417   MACHINE\System\Curre       Determines whether a secure channel can be established with
Configuration\Windows       strong (Windows 2000 or                                     ntControlSet\Services\N    a domain controller that is not capable of encrypting secure
                                                                                                                   channel traffic with a strong (128-bit) session key. If this
Settings\Security           later) session key                                          etlogon\Parameters\Req     setting is enabled, a secure channel is not established with
Settings\Local                                                                          uireStrongKey              any domain controller that cannot encrypt secure channel
Policies\Security Options                                                                                          data with a strong key. If this setting is disabled, 64-bit
                                                                                                                   session keys are tolerated.
                                                                                                                    Note:
                                                                                                                   -To enable this setting on a member workstation or server, all
                                                                                                                   domain controllers in the domain that the member belongs to
                                                                                                                   must be capable of encrypting secure channel data with a
                                                                                                                   strong (128-bit) key. This means that all such domain
                                                                                                                   controllers must be running Windows 2000.
                                                                                                                   -To enable this setting on a domain controller, all domain
                                                                                                                   controllers in all trusting and trusted domains must be capable
                                                                                                                   of encrypting secure channel data with a strong (128-bit) key.
                                                                                                                   This means that all such domain controllers must be running
                                                                                                                   Windows 2000.
                                                                                                                   See KB Article
                                                                                                                   http://support.microsoft.com/default.aspx?scid=kb;en-
                                                                                                                   us;823659




Computer                    Interactive logon: Do not   Enabled    Enabled    CCE-65    MACHINE\Software\Micr      Determines whether the name of the last user to log on to the
Configuration\Windows       display last user name                                      osoft\Windows\CurrentV     computer is displayed in the Windows logon screen. If this
                                                                                                                   policy is enabled, the name of the last user to successfully log
Settings\Security                                                                       ersion\Policies\System\D   on is not displayed in the Log On to Windows dialog box. If
Settings\Local                                                                          ontDisplayLastUserNam      this policy is disabled, the name of the last user to log on is
Policies\Security Options                                                               e                          displayed.
                                                                                                                   Default: Disabled.

Computer                    Interactive logon: Do not   Disabled   Disabled   CCE-133   MACHINE\Software\Micr      Determines whether pressing CTRL+ALT+DEL is required
Configuration\Windows       require                                                     osoft\Windows\CurrentV     before a user can log on.
                                                                                                                   If this policy is enabled on a computer, a user is not required
Settings\Security           CTRL+ALT+DELETE                                             ersion\Policies\System\D   to press CTRL+ALT+DEL to log on. Not having to press
Settings\Local                                                                          isableCAD                  CTRL+ALT+DEL leaves users susceptible to attacks that
Policies\Security Options                                                                                          attempt to intercept the users' passwords. Requiring
                                                                                                                   CTRL+ALT+DEL before users log on ensures that users are
                                                                                                                   communicating by means of a trusted path when entering their
                                                                                                                   passwords.
                                                                                                                   If this policy is disabled, any user is required to press
                                                                                                                   CTRL+ALT+DEL before logging on to Windows (unless they
                                                                                                                   are using a smart card for Windows logon).
                                                                                                                   Default:
                                                                                                                   -Disabled on workstations and servers that are joined to a
                                                                                                                   domain.
                                                                                                                   -Enabled on stand-alone workstations.
Computer                    Interactive logon: Message      ######################### ######################### CCE-829   MACHINE\Software\Micr         Specifies a text message that is displayed to users when they
Configuration\Windows       text for users attempting to                                                                  osoft\Windows\CurrentV        log on.
                                                                                                                                                        This text is often used for legal reasons, for example, to warn
Settings\Security           logon                                                                                         ersion\Policies\System\L      users about the ramifications of misusing company
Settings\Local                                                                                                            egalNoticeText                information or to warn them that their actions may be audited.
Policies\Security Options                                                                                                                               Default: No message.
                                                                                                                                                         Note:
                                                                                                                                                        • Windows XP Professional adds support for configuring logon
                                                                                                                                                        banners that can exceed 512 characters in length and that
                                                                                                                                                        can also contain carriage-return line-feed sequences.
                                                                                                                                                        However, Windows 2000 clients cannot interpret and display
                                                                                                                                                        message text that is created by Windows XP Professional
                                                                                                                                                        computers. You must use a Windows 2000 computer to
                                                                                                                                                        create a logon message policy that applies to Windows 2000
                                                                                                                                                        computers. If you inadvertently create a logon message policy
                                                                                                                                                        using a Windows XP Professional computer, and you discover
                                                                                                                                                        that it does not display properly on Windows 2000 computers,
                                                                                                                                                        do the following:
                                                                                                                                                        -Undefine the setting.
                                                                                                                                                        -Redefine the setting using a Windows 2000 computer.
                                                                                                                                                        Simply changing a Windows XP Professional-defined logon
                                                                                                                                                        message policy using a Windows 2000 computer does not
                                                                                                                                                        work. The setting must be undefined first.




Computer                    Interactive logon: Message      -- WARNING --            -- WARNING --             CCE-23     MACHINE\Software\Micr Allows the specification of a title to appear in the title bar of
Configuration\Windows       title for users attempting to                                                                 osoft\Windows\CurrentV the window that contains the Interactive logon: Message text
                                                                                                                                                   for users attempting to log on
Settings\Security           logon                                                                                         ersion\Policies\System\L
Settings\Local                                                                                                            egalNoticeCaption
Policies\Security Options
Computer                    Interactive logon: Number of 2                           2                         CCE-773    MACHINE\Software\Micr         Logon information for domain accounts can be cached locally
Configuration\Windows       previous logons to cache (in                                                                  osoft\Windows                 so that, in the event a domain controller cannot be contacted
                                                                                                                                                        on subsequent logons, a user can still log on. This setting
Settings\Security           case domain controller is not                                                                 NT\CurrentVersion\Winl        determines the number of unique users for which logon
Settings\Local              available)                                                                                    ogon\CachedLogonsCou          information is cached locally.
Policies\Security Options                                                                                                 nt
                                                                                                                                                        If you set this to 10 and you have 9 people who logon to the
                                                                                                                                                        machine while the DC is there, all 9 should be able to connect
                                                                                                                                                        without issues if the DC is offline. However, if you have 11
                                                                                                                                                        people who logon to this machine while the DC is online, only
                                                                                                                                                        the last 10 are cached and will be able to logon w/o the DC,
                                                                                                                                                        so somebody is going to be upset that they were the other
                                                                                                                                                        person. Setting this to 0 should prevent any logons from
                                                                                                                                                        being cached and so the box won't allow any domain logons if
                                                                                                                                                        the DC is unavailable.

                                                                                                                                                        If a domain controller is unavailable and a user's logon
                                                                                                                                                        information is cached, the user is prompted with the following
                                                                                                                                                        message: "A domain controller for your domain could not be
                                                                                                                                                        contacted. You have been logged on using cached account
                                                                                                                                                        information. Changes to your profile since you last logged on
                                                                                                                                                        may not be available." If a domain controller is unavailable
                                                                                                                                                        and a user's logon information is not cached, the user is
                                                                                                                                                        prompted with this message: "The system cannot log you on
Computer                    Interactive logon: Prompt       14 days                  14 days                   CCE-814    MACHINE\Software\Micr
                                                                                                                                                        now because thefar in advance (in days) users are warned
                                                                                                                                                        Determines how domain <DOMAIN_NAME> is not available."
Configuration\Windows       user to change password                                                                       osoft\Windows          that their password is about to expire. With this advance
                                                                                                                                                 warning, the user has time to construct a password that is
Settings\Security           before expiration                                                                             NT\CurrentVersion\Winl sufficiently strong.
Settings\Local                                                                                                            ogon\PasswordExpiryWa
Policies\Security Options                                                                                                 rning
Computer                    Interactive logon: Require   Disabled            Disabled           CCE-374   MACHINE\Software\Micr       Logon information must be provided to unlock a locked
Configuration\Windows       Domain Controller                                                             osoft\Windows               computer. For domain accounts, this setting determines
                                                                                                                                      whether a domain controller must be contacted to unlock a
Settings\Security           authentication to unlock                                                      NT\CurrentVersion\Winl      computer. If this setting is disabled, a user can unlock the
Settings\Local              workstation                                                                   ogon\ForceUnlockLogon       computer using cached credentials. If this setting is enabled, a
Policies\Security Options                                                                                                             domain controller must authenticate the domain account that
                                                                                                                                      is being used to unlock the computer.


Computer                    Interactive logon: Require   Not Defined         Not Defined        CCE-828   MACHINE\Software\Micr Forces use of a SmartCard to log in at the workstation
Configuration\Windows       smart card                                                                    osoft\Windows\CurrentV interactively.
Settings\Security                                                                                         ersion\Policies\System\S
Settings\Local                                                                                            cForceOption
Policies\Security Options
Computer                    Interactive logon: Smart card Lock Workstation   Lock Workstation   CCE-443   MACHINE\Software\Micr       Determines what happens when the smart card for a logged-
Configuration\Windows       removal behavior                                                              osoft\Windows               on user is removed from the smart card reader.
                                                                                                                                      The options are:
Settings\Security                                                                                         NT\CurrentVersion\Winl      -No Action
Settings\Local                                                                                            ogon\ScRemoveOption         -Lock Workstation
Policies\Security Options                                                                                                             -Force Logoff
                                                                                                                                      If you click Lock Workstation in the Properties dialog box for
                                                                                                                                      this policy, the workstation is locked when the smart card is
                                                                                                                                      removed, allowing users to leave the area, take their smart
                                                                                                                                      card with them, and still maintain a protected session.
                                                                                                                                      If you click Force Logoff in the Properties dialog box for this
                                                                                                                                      policy, the user is automatically logged off when the smart
                                                                                                                                      card is removed.


Computer                    Microsoft network client:    Enabled             Enabled            CCE-576   MACHINE\System\Curre        Determines whether the computer always digitally signs client
Configuration\Windows       Digitally sign                                                                ntControlSet\Services\La    communications.
                                                                                                                                      The Windows 2000 Server, Windows 2000 Professional, and
Settings\Security           communications (always)                                                       nmanWorkstation\Param       Windows XP Professional authentication protocol Server
Settings\Local                                                                                            eters\RequireSecuritySig    Message Block (SMB) supports mutual authentication, which
Policies\Security Options                                                                                 nature                      closes a "man-in-the-middle" attack and supports message
                                                                                                                                      authentication, which prevents active message attacks. SMB
                                                                                                                                      signing provides this authentication by placing a digital
                                                                                                                                      signature into each SMB, which is then verified by both the
                                                                                                                                      client and the server.
                                                                                                                                      To use SMB signing, you must either enable it or require it on
                                                                                                                                      both the SMB client and the SMB server. If SMB signing is
                                                                                                                                      enabled on a server, clients that are also enabled for SMB
                                                                                                                                      signing use the packet signing protocol during all subsequent
                                                                                                                                      sessions. If SMB signing is required on a server, a client is not
                                                                                                                                      able to establish a session, unless it is at least enabled for
                                                                                                                                      SMB signing.
                                                                                                                                      If this policy is enabled, it requires the SMB client to sign
                                                                                                                                      packets. If this policy is disabled, it does not require the SMB
                                                                                                                                      client to sign packets.



Computer                    Microsoft network client:    Enabled             Enabled            CCE-519   MACHINE\System\Curre        If this policy is enabled, it causes the Server Message Block
Configuration\Windows       Digitally sign                                                                ntControlSet\Services\La    (SMB) client to perform SMB packet signing when
                                                                                                                                      communicating with an SMB server that is enabled or required
Settings\Security           communications (if server                                                     nmanWorkstation\Param       to perform SMB packet signing.
Settings\Local              agrees)                                                                       eters\EnableSecuritySig
Policies\Security Options                                                                                 nature
Computer                    Microsoft network client:  Disabled              Disabled           CCE-228   MACHINE\System\Curre        If this policy is enabled, the Server Message Block (SMB)
Configuration\Windows       Send unencrypted password                                                     ntControlSet\Services\La    redirector is allowed to send plaintext passwords to non-
                                                                                                                                      Microsoft SMB servers that do not support password
Settings\Security           to third-party SMB servers                                                    nmanWorkstation\Param       encryption during authentication.
Settings\Local                                                                                            eters\EnablePlainTextPa
Policies\Security Options                                                                                 ssword
Computer                    Microsoft network server:    15 minutes                  15 minutes                   CCE-222   MACHINE\System\Curre        Amount of time before a session is suspended due to
Configuration\Windows       Amount of idle time required                                                                    ntControlSet\Services\La    inactivity.
                                                                                                                                                        Administrators can use this policy to control when a computer
Settings\Security           before suspending session                                                                       nManServer\Parameters\      suspends an inactive SMB session. If client activity resumes,
Settings\Local                                                                                                              AutoDisconnect              the session is automatically reestablished.
Policies\Security Options                                                                                                                               For this policy setting, a value of 0 means to disconnect an
                                                                                                                                                        idle session as quickly as is reasonably possible. The
                                                                                                                                                        maximum value is 99999, which is 208 days; in effect, this
                                                                                                                                                        value disables the policy.
                                                                                                                                                        Default: 15 minutes for servers, Undefined for workstations.



Computer                    Microsoft network server:   Enabled                      Enabled                      CCE-171   MACHINE\System\Curre        If this policy is enabled, it requires the Server Message Block
Configuration\Windows       Digitally sign                                                                                  ntControlSet\Services\La    (SMB) server to perform SMB packet signing.
                                                                                                                                                        Default: Disabled. (Reason: Legacy NT 4.0 systems)
Settings\Security           communications (always)                                                                         nManServer\Parameters\
Settings\Local                                                                                                              RequireSecuritySignatur
Policies\Security Options                                                                                                   e
Computer                    Microsoft network server:   Enabled                      Enabled                      CCE-104   MACHINE\System\Curre        If this policy is enabled, it causes the Server Message Block
Configuration\Windows       Digitally sign                                                                                  ntControlSet\Services\La    (SMB) server to perform SMB packet signing.
                                                                                                                                                        Default: Disabled on workstations, Enabled on servers.
Settings\Security           communications (if client                                                                       nManServer\Parameters\
Settings\Local              agrees)                                                                                         EnableSecuritySignature
Policies\Security Options
Computer                    Microsoft network server:   Enabled                      Enabled                      CCE-278   MACHINE\System\Curre        Determines whether to disconnect users who are connected
Configuration\Windows       Disconnect clients when                                                                         ntControlSet\Services\La    to the local computer outside their user account's valid logon
                                                                                                                                                        hours. This setting affects the Server Message Block (SMB)
Settings\Security           logon hours expire                                                                              nManServer\Parameters\      component. When this policy is enabled, it causes client
Settings\Local                                                                                                              EnableForcedLogOff          sessions with the SMB Service to be forcibly disconnected
Policies\Security Options                                                                                                                               when the client's logon hours expire. If this policy is disabled,
                                                                                                                                                        an established client session is allowed to be maintained after
                                                                                                                                                        the client's logon hours have expired.


Computer                    MSS: (AutoAdminLogon)       Disabled                     Disabled                     CCE-283   MACHINE\Software\Micr       Determines whether the automatic logon feature is enabled.
Configuration\Windows       Enable Automatic Logon                                                                          osoft\Windows               Automatic logon uses the domain, user name, and password
                                                                                                                                                        stored in the registry to log users on to the computer when the
Settings\Security           (Not Recommended)                                                                               NT\CurrentVersion\Winl      system starts. The Log On to Windows dialog box is not
Settings\Local                                                                                                              ogon\AutoAdminLogon         displayed.
Policies\Security Options
Computer                    MSS:                        Highest Protection, source   Highest Protection, source   CCE-564   MACHINE\System\Curre        IP source routing is a mechanism allowing the sender to
Configuration\Windows       (DisableIPSourceRouting) IP routing is automatically     routing is automatically               ntControlSet\Services\Tc    determine the IP route that a datagram should take through
                                                                                                                                                        the network.
Settings\Security           source routing protection   disabled.                    disabled.                              pip\Parameters\DisableI     0 = No additional protection, source routed packets are
Settings\Local              level (protects against                                                                         PSourceRouting              allowed
Policies\Security Options   packet spoofing)                                                                                                            1 = Medium, source routed packets ignored when IP
                                                                                                                                                        forwarding is enabled.
                                                                                                                                                        2 = Highest protection, source routing is completely disabled


Computer                    MSS:                         Disabled                    Disabled                     CCE-897   MACHINE\System\Curre When dead- gateway detection is enabled, TCP may ask the
Configuration\Windows       (EnableDeadGWDetect)                                                                            ntControlSet\Services\Tc IP to change to a backup gateway if a number of connections
                                                                                                                                                     are experiencing difficulty.
Settings\Security           Allow automatic detection of                                                                    pip\Parameters\EnableD
Settings\Local              dead network gateways                                                                           eadGWDetect
Policies\Security Options   (could lead to DoS)
Computer                    MSS: (EnableICMPRedirect) Disabled                       Disabled                     CCE-150   MACHINE\System\Curre        Internet Control Message Protocol (ICMP) redirects causes
Configuration\Windows       Allow ICMP redirects to                                                                         ntControlSet\Services\Tc    the stack to plumb host routes. These routes override the
                                                                                                                                                        Open Shortest Path First (OSPF) generated routes. This
Settings\Security           override OSPF generated                                                                         pip\Parameters\EnableIC     behavior is expected; the problem is that the 10 minute time-
Settings\Local              routes                                                                                          MPRedirect                  out period for the ICMP redirect plumbed routes temporarily
Policies\Security Options                                                                                                                               creates a black hole for the network where traffic will no longer
                                                                                                                                                        be routed properly for the affected host.
Computer                    MSS:                         Not Defined                      Not Defined                    CCE-998                              When this value is enabled, the default setting, the TCP stack
Configuration\Windows       (EnablePMTUDiscovery)                                                                                                             tries to automatically determine either the maximum
                                                                                                                                                              transmission unit (MTU) or the largest packet size over the
Settings\Security           Allow automatic detection of                                                                                                      path to a remote host.
Settings\Local              MTU size (possible DoS by
Policies\Security Options   an attacker using a small
                            MTU)
Computer                    MSS: (Hidden) Hide           Enabled                          Not defined                    CCE-139   MACHINE\System\Curre       Hidden Registry key to 1. The machine will be accessible as
Configuration\Windows       computer from the browse                                                                               ntControlSet\Services\La   a network server, but users must manually enter Uniform
                                                                                                                                                              Naming Convention (UNC) pathnames to the server and its
Settings\Security           list (Not Recommended                                                                                  nmanserver\Parameters\     shared resources—the machine won't appear in network
Settings\Local              except for highly secure                                                                               Hidden                     browse lists. After you make this change, you must stop and
Policies\Security Options   environments                                                                                                                      restart the Server service or reboot the machine. Also, a
                                                                                                                                                              machine can take as many as 51 minutes to disappear from
                                                                                                                                                              the browse list because of the Windows network browsing
                                                                                                                                                              services' expiration policies. See
                                                                                                                                                              http://www.microsoft.com/technet/treeview/default.asp?url=/te
                                                                                                                                                              chnet/security/prodtech/Windows/Win2kHG/05SConfg.asp,
                                                                                                                                                              under Hide the computer from the network browse list




Computer                    MSS: (KeepAliveTime) How 300000 or 5 minutes                  300000 or 5 minutes            CCE-188   MACHINE\System\Curre       This value controls how often TCP attempts to verify that an
Configuration\Windows       often keep-alive packets are (recommended)                    (recommended)                            ntControlSet\Services\Tc   idle connection is still intact by sending a keep-alive packet. If
                                                                                                                                                              the remote computer is still reachable, it acknowledges the
Settings\Security           sent in milliseconds                                                                                   pip\Parameters\KeepAliv    keep-alive packet.
Settings\Local                                                                                                                     eTime
Policies\Security Options
Computer                    MSS: (NoDefaultExempt)     Mulitcast, Broadcast, and          Not defined                    CCE-501   MACHINE\System\Curre       Some types of traffic are exempted by design from being
Configuration\Windows       Enable NoDefaultExempt for ISAKMP are exempt (Best for                                                 ntControlSet\Services\IP   secured by IPSec, even when the IPSec policy specifies that
                                                                                                                                                              all IP traffic should be secured. The IPSec exemptions apply
Settings\Security           IPSec Filtering            Windows XP)                                                                 SEC\NoDefaultExempt        to Broadcast, Multicast, RSVP, IKE, and Kerberos traffic. For
Settings\Local              (recommended)                                                                                                                     details about these exemptions, please refer to Microsoft
Policies\Security Options                                                                                                                                     Knowledge Base article: 254949 "Client-to-Domain Controller
                                                                                                                                                              and Domain Controller-to-Domain Controller IPSec Support."
                                                                                                                                                              This exemption can be used by an attacker to circumvent
                                                                                                                                                              IPSec restrictions. Therefore, it is important to remove it if at
                                                                                                                                                              all possible. On systems that do not use IPSec, this setting
                                                                                                                                                              has no effect


Computer                    MSS:                           255, disable autorun for all   255, disable autorun for all   CCE-44    MACHINE\SOFTWARE\          Disables autorun on all drive types, including external USB
Configuration\Windows       (NoDriveTypeAutoRun)           drives                         drives                                   Microsoft\Windows\Curr     drivers, CDs and DVDs.

Settings\Security           Disable Autorun for all drives                                                                         entVersion\Policies\Expl
Settings\Local              (recommended)                                                                                          orer\NoDriveTypeAutoR
Policies\Security Options                                                                                                          un
Computer                    MSS:                     Enabled                              Enabled                        CCE-817   MACHINE\System\Curre       Network basic input/output system (NetBIOS) over TCP/IP is
Configuration\Windows       (NoNameReleaseOnDeman                                                                                  ntControlSet\Services\N    a networking protocol that, among other things, provides a
                                                                                                                                                              means of easily resolving NetBIOS names registered on
Settings\Security           d) Allow the computer to                                                                               etbt\Parameters\NoNam      Windows- based systems to the IP addresses configured on
Settings\Local              ignore NetBIOS name                                                                                    eReleaseOnDemand           those systems. This value determines whether the computer
Policies\Security Options   release requests except                                                                                                           releases its NetBIOS name when it receives a name release
                            from WINS servers                                                                                                                 request.
                                                                                                                                                              The NoNameReleaseOnDemand setting configures the
                                                                                                                                                              system to refuse name release requests to release its SMB
                                                                                                                                                              name. This setting prevents an attacker from sending a name
                                                                                                                                                              release request to a server, causing the server to be
                                                                                                                                                              inaccessible to legitimate clients. If this setting is configured
                                                                                                                                                              on a client, however, and that client is mis-configured with the
                                                                                                                                                              same name as a critical server, the server will be unable to
                                                                                                                                                              recover the name, and legitimate requests may be directed to
                                                                                                                                                              the rogue server instead, causing a denial of service condition
                                                                                                                                                              at best.
Computer                    MSS:                         Disabled                     Disabled                    CCE-511     MACHINE\System\Curre         Windows Server 2000 supports 8.3 file name formats for
Configuration\Windows       (NtfsDisable8dot3NameCrea                                                                         ntControlSet\Control\File    backward compatibility with 16- bit applications. The 8.3 file
                                                                                                                                                           name convention is a naming format that allows file names
Settings\Security           tion) Enable the computer to                                                                      System\NtfsDisable8dot       that are up to eight characters in length.
Settings\Local              stop generating 8.3 style                                                                         3NameCreation                Note: Some legacy applications may have trouble with this,
Policies\Security Options   filenames (recommended)                                                                                                        as they look for the 8.3 file naming convention.


Computer                    MSS:                          Disabled                    Disabled                    CCE-952     MACHINE\System\Curre This setting is used to enable or disabled the Internet Router
Configuration\Windows       (PerformRouterDiscovery)                                                                          ntControlSet\Services\Tc Discovery Protocol (IRDP). IRDP allows the system to detect
                                                                                                                                                       and configure Default Gateway addresses automatically.
Settings\Security           Allow IRDP to detect and                                                                          pip\Parameters\Perform
Settings\Local              configure DefaultGateway                                                                          RouterDiscovery
Policies\Security Options   addresses (could lead to
                            DoS)
Computer                    MSS:                          Enabled                     Enabled                     CCE-271
Configuration\Windows       (SafeDLLSearchMode)
Settings\Security           Enable safe DLL search
Settings\Local              mode (Recommended)
Policies\Security Options
Computer                    MSS:                          5                           5                           CCE-830     MACHINE\Software\Micr
Configuration\Windows       (ScreenSaverGracePeriod)                                                                          osoft\WindowsNT\Curre
Settings\Security           The time in seconds before                                                                        ntVersion\Winlogon!Scre
Settings\Local              the screen saver grace                                                                            enSaverGracePeriod
Policies\Security Options   period expires (0
                            Recommended)
Computer                    MSS: (SynAttackProtect)       Enabled: Connections timeout Enabled: Connections timeout CCE-284   MACHINE\System\Curre         This registry value causes TCP to adjust retransmission of
Configuration\Windows       Syn attack protection level   sooner if a SYN attack is    sooner if a SYN attack is              ntControlSet\Services\Tc     SYN- ACKs. When you configure this value, the connection
                                                                                                                                                           responses time- out more quickly in the event of a connect
Settings\Security           (protects against DoS)        detected                     detected                               pip\Parameters\SynAttac      request (SYN) attack.
Settings\Local                                                                                                                kProtect                     1 = Connections timeout more quickly if a SYN attack is
Policies\Security Options                                                                                                                                  detected
                                                                                                                                                           0 = No additional protection, use default settings
                                                                                                                                                           Note: W2K had another option = 2 that has been incorporated
                                                                                                                                                           into option 1 in W2K3.

Computer                    MSS:                      Enabled: 3 & 6 seconds, half-   Enabled: 3&6 second, half-    CCE-577   MACHINE\System\Curre         This parameter determines the number of times that TCP
Configuration\Windows       (TCPMaxConnectResponse open connections dropped           open connections droped after           ntControlSet\Services\Tc     retransmits a SYN before aborting the attempt. The
                                                                                                                                                           retransmission time-out is doubled with each successive
Settings\Security           Retransmissions) SYN-ACK after 21 seconds                 21 seconds                              pip\Parameters\TcpMax        retransmission in a given connect attempt. The initial time-out
Settings\Local              retransmissions when a                                                                            ConnectResponseRetra         value is three seconds.
Policies\Security Options   connection request is not                                                                         nsmissions                   0 = No retransmission, half- open connections dropped after 3
                            acknowledged                                                                                                                   seconds
                                                                                                                                                           1 = 3 seconds, half- open connections dropped after 9
                                                                                                                                                           seconds
                                                                                                                                                           2 = 3 & 6 seconds, half- open connections dropped after 21
                                                                                                                                                           seconds
                                                                                                                                                           3 = 3, 6, & 9 seconds, half- open connections dropped after
                                                                                                                                                           45 seconds

Computer                    MSS:                       Enabled: 3                     Enabled: 3                  CCE-872     MACHINE\System\Curre         This parameter controls the number of times that TCP
Configuration\Windows       (TCPMaxDataRetransmissio                                                                          ntControlSet\Services\Tc     retransmits an individual data segment (non- connect
                                                                                                                                                           segment) before aborting the connection. The retransmission
Settings\Security           ns) How many times                                                                                pip\Parameters\TcpMax        time- out is doubled with each successive retransmission on a
Settings\Local              unacknowledged data is                                                                            DataRetransmissions          connection. It is reset when responses resume. The base time-
Policies\Security Options   retransmitted (3                                                                                                               out value is dynamically determined by the measured round-
                            Recommended, 5 is Default)                                                                                                     trip time on the connection.


Computer                    MSS: (WarningLevel)          90%                          90%                         CCE-125     MACHINE\SYSTEM\Cur           Windows Server 2003 and Service Pack 3 for Windows 2000
Configuration\Windows       Percentage threshold for the                                                                      rentControlSet\Services\     include a new feature for generating a security audit in the
                                                                                                                                                           security event log when the security log reaches a user
Settings\Security           security event log at which                                                                       Eventlog\Security\Warni      defined threshold.
Settings\Local              the system will generate a                                                                        ngLevel
Policies\Security Options   warning
Computer                    Network access: Allow          Disabled   Disabled   CCE-953   Not a Registry Key         Determines if an anonymous user can request security
Configuration\Windows       anonymous SID/Name                                                                        identifier (SID) attributes for another user. If this policy is
                                                                                                                      enabled, a user with knowledge of an administrator's SID
Settings\Security           translation                                                                               could contact a computer that has this policy enabled and use
Settings\Local                                                                                                        the SID to get the administrator's name.
Policies\Security Options                                                                                             Default: Disabled on workstations, Enabled on server.
Computer                    Network access: Do not         Enabled    Enabled    CCE-318   MACHINE\System\Curre       Determines what additional permissions will be granted for
Configuration\Windows       allow anonymous                                                ntControlSet\Control\Lsa   anonymous connections to the computer. Windows allows
                                                                                                                      anonymous users to perform certain activities, such as
Settings\Security           enumeration of SAM                                             \RestrictAnonymousSAM      enumerating the names of domain accounts and network
Settings\Local              accounts                                                                                  shares. This is convenient, for example, when an
Policies\Security Options                                                                                             administrator wants to grant access to users in a trusted
                                                                                                                      domain that does not maintain a reciprocal trust. By default,
                                                                                                                      an anonymous user has the same access that is granted to
                                                                                                                      the Everyone group for a given resource. This security option
                                                                                                                      allows additional restrictions to be placed on anonymous
                                                                                                                      connections as follows:
                                                                                                                      -None. Rely on default permissions.
                                                                                                                      -Do not allow enumeration of SAM accounts. This option
                                                                                                                      replaces "Everyone" with "Authenticated Users" in the security
                                                                                                                      permissions for resources.
                                                                                                                      Default: Enabled on workstation, Disabled on server.



Computer                    Network access: Do not         Enabled    Enabled    CCE-195   MACHINE\System\Curre       Determines whether anonymous enumeration of SAM
Configuration\Windows       allow anonymous                                                ntControlSet\Control\Lsa   accounts and shares is allowed.
                                                                                                                      Windows allows anonymous users to perform certain
Settings\Security           enumeration of SAM                                             \RestrictAnonymous         activities, such as enumerating the names of domain
Settings\Local              accounts and shares                                                                       accounts and network shares. This is convenient, for
Policies\Security Options                                                                                             example, when an administrator wants to grant access to
                                                                                                                      users in a trusted domain that does not maintain a reciprocal
                                                                                                                      trust. If you do not want to allow anonymous enumeration of
                                                                                                                      SAM accounts and shares, then enable this policy.


Computer                    Network access: Do not         Enabled    Enabled    CCE-542   MACHINE\System\Curre       Determines whether the Stored User Names and Passwords
Configuration\Windows       allow storage of credentials                                   ntControlSet\Control\Lsa   saves passwords or credentials for later use when it gains
                                                                                                                      domain authentication. If it is enabled, this setting prevents
Settings\Security           or .NET Passports for                                          \DisableDomainCreds        the Stored User Names and Passwords from storing
Settings\Local              network authentication                                                                    passwords and credentials.
Policies\Security Options
Computer                    Network access: Let        Disabled       Disabled   CCE-18    MACHINE\System\Curre       Determines what additional permissions are granted for
Configuration\Windows       Everyone permissions apply                                     ntControlSet\Control\Lsa   anonymous connections to the computer. Windows used to
                                                                                                                      allow anonymous users to perform certain activities, such as
Settings\Security           to anonymous users                                             \EveryoneIncludesAnony     enumerating the names of domain accounts and network
Settings\Local                                                                             mous                       shares. This is convenient, for example, when an
Policies\Security Options                                                                                             administrator wants to grant access to users in a trusted
                                                                                                                      domain that does not maintain a reciprocal trust. By Default,
                                                                                                                      the Everyone security identifier (SID) is now removed from the
                                                                                                                      token created for anonymous connections. Therefore,
                                                                                                                      permissions granted to the Everyone group do not apply to
                                                                                                                      anonymous users. If this option is set, anonymous users can
                                                                                                                      only access those resources for which the anonymous user
                                                                                                                      has been explicitly given permission. If this policy is enabled,
                                                                                                                      the Everyone SID is added to the token that is created for
                                                                                                                      anonymous connections. In this case, anonymous users are
                                                                                                                      able to access any resource for which the Everyone group
                                                                                                                      has been given permissions. It is NOT recommended to
                                                                                                                      enable this setting.
Computer                    Network access: Named      netlogon, lsarpc, samr, browser COMNAP                               CCE-136         MACHINE\System\Curre Determines which communication sessions (pipes) will have
Configuration\Windows       Pipes that can be accessed                                 COMNODE                                              ntControlSet\Services\La attributes and permissions that allow anonymous access.
Settings\Security           anonymously                                                SQL\QUERY                                            nManServer\Parameters\
Settings\Local                                                                         SPOOLSS                                              NullSessionPipes
Policies\Security Options                                                              LLSRPC
                                                                                       browser

Computer                    Network access: Remotely      System\CurrentControlSet\Con     (Not Applicable)                 CCE-189         MACHINE\System\Curre Determines registry paths will be accessible for referencing
Configuration\Windows       accessible registry paths     trol\ProductOptions,                                                              ntControlSet\Control\Sec the winreg key for access permissions to those paths.
Settings\Security                                         System\CurrentControlSet\Con                                                      urePipeServers\Winreg\
Settings\Local                                            trol\Server Applications,                                                         AllowedExactPaths\Mac
Policies\Security Options                                 Software\Microsoft\Windows                                                        hine
                                                          NT\CurrentVersion
Computer                    Network access: Remotely System\CurrentControlSet\Con          System\CurrentControlSet\Con CCE-1185       MACHINE\System\Curre Determines registry paths and sub-paths that will be
Configuration\Windows       accessible registry paths and trol\Print\Printers              trol\ProductOptions            (CCE-189 for ntControlSet\Control\Sec accessible for referencing the winreg key for access
                                                                                                                                                                permissions to those paths.
Settings\Security           subpaths                      System\CurrentControlSet\Ser     System\CurrentControlSet\Con Windows XP) urePipeServers\Winreg\
Settings\Local                                            vices\Eventlog                   trol\Print\Printers                         AllowedPaths\Machine
Policies\Security Options                                 Software\Microsoft\OLAP          System\CurrentControlSet\Con
                                                          Server                           trol\Server Applications
                                                          Software\Microsoft\Windows       System\CurrentControlSet\Ser
                                                          NT\CurrentVersion\Print          vices\Eventlog
                                                          Software\Microsoft\Windows       Software\Microsoft\OLAP
                                                          NT\CurrentVersion\Windows        Server
                                                          System\CurrentControlSet\Con     Software\Microsoft\Windows
                                                          trol\ContentIndex                NT\CurrentVersion
                                                          System\CurrentControlSet\Con     System\CurrentControlSet\Con
                                                          trol\Terminal Server             trol\ContentIndex
                                                          System\CurrentControlSet\Con     System\CurrentControlSet\Con
                                                          trol\Terminal                    trol\Terminal Server
                                                          Server\UserConfig                System\CurrentControlSet\Con
                                                          System\CurrentControlSet\Con     trol\Terminal
                                                          trol\Terminal                    Server\UserConfig
                                                          Server\DefaultUserConfiguratio   System\CurrentControlSet\Con
                                                          n                                trol\Terminal
                                                          Software\Microsoft\Windows       Server\DefaultUserConfiguratio
                                                          NT\CurrentVersion\Perflib        n
                                                          System\CurrentControlSet\Ser
                                                          vices\SysmonLog
Computer                    Network access: Restrict      Enabled                          (Not Applicable)                 CCE-638         MACHINE\System\Curre        When enabled, this security setting restricts anonymous
Configuration\Windows       anonymous access to                                                                                             ntControlSet\Services\La    access to shares and pipes to the settings for:
                                                                                                                                                                        -Network access: Named pipes that can be accessed
Settings\Security           Named Pipes and Shares                                                                                          nManServer\Parameters\      anonymously
Settings\Local                                                                                                                              NullSessionShares           -Network access: Shares that can be accessed anonymously
Policies\Security Options                                                                                                                                               Default: Enabled.


Computer                    Network access: Shares that (None)                             COMCFG, DFS$                     CCE-942         MACHINE\System\Curre Determines which network shares can be accessed by
Configuration\Windows       can be accessed                                                                                                 ntControlSet\Services\La anonymous users.
Settings\Security           anonymously                                                                                                     nManServer\Parameters\
Settings\Local                                                                                                                              NullSessionShares
Policies\Security Options
Computer                    Network access: Sharing        Classic – Local users        Classic - Local users        CCE-343   MACHINE\System\Curre       Determines how network logons that use local accounts are
Configuration\Windows       and security model for local   authenticate as themselves   authenticate as themselves             ntControlSet\Control\Lsa   authenticated. If this setting is set to Classic, network logons
                                                                                                                                                          that use local account credentials authenticate by using those
Settings\Security           accounts                                                                                           \ForceGuest                credentials. If this setting is set to Guest only, network logons
Settings\Local                                                                                                                                            that use local accounts are automatically mapped to the
Policies\Security Options                                                                                                                                 Guest account. The Classic model allows fine control over
                                                                                                                                                          access to resources. By using the Classic model, you can
                                                                                                                                                          grant different types of access to different users for the same
                                                                                                                                                          resource. Using the Guest only model, all users are treated
                                                                                                                                                          equally. All users authenticate as Guest, and they all receive
                                                                                                                                                          the same level of access to a given resource, which can be
                                                                                                                                                          either Read Only or Modify.
                                                                                                                                                          There are two options available:
                                                                                                                                                          -Classic: local users authenticate as themselves.
                                                                                                                                                          -Guest only: local users authenticate as Guest.




Computer                    Network security: Do not       Enabled                      Enabled                      CCE-233   MACHINE\System\Curre       Determines if, at the next password change, LAN Manager is
Configuration\Windows       store LAN Manager hash                                                                             ntControlSet\Control\Lsa   prevented from storing hash values for the new password. It
                                                                                                                                                          is important to enable this setting since the LAN Manager
Settings\Security           value on next password                                                                             \NoLMHash                  Hash is a prime target of many hackers.
Settings\Local              change
Policies\Security Options

Computer                    Network security: Force        Enabled                      Enabled                      CCE-775   Not a Registry Key         Determines whether to disconnect users who are connected
Configuration\Windows       logoff when logon hours                                                                                                       to the local computer outside their user account's valid logon
                                                                                                                                                          hours. This setting affects the Server Message Block (SMB)
Settings\Security           expire                                                                                                                        component. When this policy is enabled, it causes client
Settings\Local                                                                                                                                            sessions with the SMB server to be forcibly disconnected
Policies\Security Options                                                                                                                                 when the client's logon hours expire. If this policy is disabled,
                                                                                                                                                          an established client session is allowed to be maintained after
                                                                                                                                                          the client's logon hours have expired.


Computer                    Network security: LAN        Send NTLMv2 Response only. Send NTLM v2 Response            CCE-719   MACHINE\System\Curre       Determines which challenge/response authentication protocol
Configuration\Windows       Manager authentication level Refuse LM and NTLM         only/Refuse LM & NTLM                      ntControlSet\Control\Lsa   is used for network logons. This choice affects the level of
                                                                                                                                                          authentication protocol used by clients, the level of session
Settings\Security                                                                                                              \LmCompatibilityLevel      security negotiated, and the level of authentication accepted
Settings\Local                                                                                                                                            by servers as follows:
Policies\Security Options
                                                                                                                                                          -Send LM & NTLM responses (0): Clients use LM and NTLM
                                                                                                                                                          authentication and never use NTLMv2 session security;
                                                                                                                                                          domain controllers accept LM, NTLM, and NTLMv2
                                                                                                                                                          authentication.
                                                                                                                                                          -Send LM & NTLM (1) - use NTLMv2 session security if
                                                                                                                                                          negotiated: Clients use LM and NTLM authentication and use
                                                                                                                                                          NTLMv2 session security if the server supports it; domain
                                                                                                                                                          controllers accept LM, NTLM, and NTLMv2 authentication.
                                                                                                                                                          -Send NTLM response only (2): Clients use NTLM
                                                                                                                                                          authentication only and use NTLMv2 session security if the
                                                                                                                                                          server supports it; domain controllers accept LM, NTLM, and
                                                                                                                                                          NTLMv2 authentication.
                                                                                                                                                          -Send NTLMv2 response only (3): Clients use NTLMv2
                                                                                                                                                          authentication only and use NTLMv2 session security if the
                                                                                                                                                          server supports it; domain controllers accept LM, NTLM, and
                                                                                                                                                          NTLMv2 authentication.
                                                                                                                                                          -Send NTLMv2 response only\refuse LM (4): Clients use
                                                                                                                                                          NTLMv2 authentication only and use NTLMv2 session
                                                                                                                                                          security if the server supports it; domain controllers refuse LM
                                                                                                                                                          (accept only NTLM and NTLMv2 authentication).
                                                                                                                                                          -Send NTLMv2 response only\refuse LM & NTLM (5): Clients
                                                                                                                                                          use NTLMv2 authentication only and use NTLMv2 session
                                                                                                                                                          security if the server supports it; domain controllers refuse LM
                                                                                                                                                          and NTLM (accept only NTLMv2 authentication).
Computer                    Network security: LDAP        Negotiate Signing         Negotiate Signing            CCE-732   MACHINE\System\Curre       This security setting determines the level of data signing that
Configuration\Windows       client signing requirements                                                                    ntControlSet\Services\L    is requested on behalf of clients issuing LDAP BIND requests,
                                                                                                                                                      as follows:
Settings\Security                                                                                                          DAP\LDAPClientIntegrity    -None: The LDAP BIND request is issued with the options that
Settings\Local                                                                                                                                        are specified by the caller.
Policies\Security Options                                                                                                                             -Negotiate signing: If Transport Layer Security/Secure
                                                                                                                                                      Sockets Layer (TLS\SSL) has not been started, the LDAP
                                                                                                                                                      BIND request is initiated with the LDAP data signing option set
                                                                                                                                                      in addition to the options specified by the caller. If TLS\SSL
                                                                                                                                                      has been started, the LDAP BIND request is initiated with the
                                                                                                                                                      options that are specified by the caller.
                                                                                                                                                      -Require signature: This is the same as Negotiate signing.
                                                                                                                                                      However, if the LDAP server's intermediate
                                                                                                                                                      saslBindInProgress response does not indicate that LDAP
                                                                                                                                                      traffic signing is required, the caller is told that the LDAP BIND
                                                                                                                                                      command request failed.
                                                                                                                                                      Caution: If you set the server to Require signature, you must
                                                                                                                                                      also set the client. Not setting the client results in a loss of
                                                                                                                                                      connection with the server.



Computer                    Network security: Minimum Require NTLMv2 session        Require message integrity    CCE-674   MACHINE\System\Curre       Determines the minimum security standards for an application-
Configuration\Windows       session security for NTLM   security, Require 128 bit   Require message                        ntControlSet\Control\Lsa   to-application communications session for a client.
                                                                                                                                                      Historically, Windows NT supports two variants of
Settings\Security           SSP based (including secure encryption                  confidentiality                        \MSV1_0\NTLMMinClien       challenge/response authentication for network logons:
Settings\Local              RPC) clients                                            Require NTLMv2 session                 tSec                       -LAN Manager (LM) challenge/response
Policies\Security Options                                                           security                                                          -NTLM version 1 challenge/response)
                                                                                    Require 128-bit encryption                                        LM allows interoperability with the installed base of clients and
                                                                                                                                                      servers. NTLM provides improved security for connections
                                                                                                                                                      between clients and servers.


Computer                    Network security: Minimum Require NTLMv2 session        Require message integrity    CCE-766   MACHINE\System\Curre       Determines the minimum security standards for an application-
Configuration\Windows       session security for NTLM   security, Require 128 bit   Require message                        ntControlSet\Control\Lsa   to-application communications session for a server.
                                                                                                                                                      Historically, Windows NT supports two variants of
Settings\Security           SSP based (including secure encryption                  confidentiality                        \MSV1_0\NTLMMinServ        challenge/response authentication for network logons:
Settings\Local              RPC) servers                                            Require NTLMv2 session                 erSec                      -LAN Manager (LM) challenge/response
Policies\Security Options                                                           security                                                          -NTLM version 1 challenge/response)
                                                                                    Require 128-bit encryption                                        LM allows interoperability with the installed base of clients and
                                                                                                                                                      servers. NTLM provides improved security for connections
                                                                                                                                                      between clients and servers.


Computer                    Recovery console: Allow       Disabled                  Disabled                     CCE-410   MACHINE\Software\Micr      Determines if the password for the Administrator account
Configuration\Windows       automatic administrative                                                                       osoft\Windows              must be given before access to the system is granted. If this
                                                                                                                                                      option is enabled, the Recovery Console does not require you
Settings\Security           logon                                                                                          NT\CurrentVersion\Setu     to provide a password, and it automatically logs on to the
Settings\Local                                                                                                             p\RecoveryConsole\Sec      system.
Policies\Security Options                                                                                                  urityLevel
Computer                    Recovery console: Allow       Disabled                  Disabled                     CCE-76    MACHINE\Software\Micr      Enabling this option makes the Recovery Console SET
Configuration\Windows       floppy copy and access to all                                                                  osoft\Windows              command available, which allows you to set the following
                                                                                                                                                      Recovery Console environment variables:
Settings\Security           drives and all folders                                                                         NT\CurrentVersion\Setu     -AllowWildCards: Enable wildcard support for some
Settings\Local                                                                                                             p\RecoveryConsole\Set      commands (such as the DEL command).
Policies\Security Options                                                                                                  Command                    -AllowAllPaths: Allow access to all files and folders on the
                                                                                                                                                      computer.
                                                                                                                                                      -AllowRemovableMedia: Allow files to be copied to removable
                                                                                                                                                      media, such as a floppy disk.
                                                                                                                                                      -NoCopyPrompt: Do not prompt when overwriting an existing
                                                                                                                                                      file.
Computer                    Shutdown: Allow system to Enabled             Enabled            CCE-224   MACHINE\Software\Micr      Determines whether a computer can be shut down without
Configuration\Windows       be shut down without having                                                osoft\Windows\CurrentV     having to log on to Windows.
                                                                                                                                  When this policy is enabled, the Shut Down command is
Settings\Security           to log on                                                                  ersion\Policies\System\S   available on the Windows logon screen. When this policy is
Settings\Local                                                                                         hutdownWithoutLogon        disabled, the option to shut down the computer does not
Policies\Security Options                                                                                                         appear on the Windows logon screen. In this case, users
                                                                                                                                  must be able to log on to the computer successfully and have
                                                                                                                                  the Shut down the system user right before they can perform
                                                                                                                                  a system shutdown.
                                                                                                                                  Default: Enabled on workstations, Disabled on servers.

Computer                    Shutdown: Clear virtual     Disabled          Disabled           CCE-422   MACHINE\System\Curre       Determines whether the virtual memory pagefile is cleared
Configuration\Windows       memory pagefile                                                            ntControlSet\Control\Ses   when the system is shut down.
                                                                                                                                  Virtual memory support uses a system pagefile to swap pages
Settings\Security                                                                                      sion Manager\Memory        of memory to disk when they are not used. On a running
Settings\Local                                                                                         Management\ClearPage       system, this pagefile is opened exclusively by the operating
Policies\Security Options                                                                              FileAtShutdown             system, and it is well protected. However, systems that are
                                                                                                                                  configured to allow booting to other operating systems might
                                                                                                                                  have to make sure that the system pagefile is wiped clean
                                                                                                                                  when this system shuts down. This ensures that sensitive
                                                                                                                                  information from process memory that might go into the
                                                                                                                                  pagefile is not available to an unauthorized user who
                                                                                                                                  manages to directly access the pagefile. When this policy is
                                                                                                                                  enabled, it causes the system pagefile to be cleared upon
                                                                                                                                  clean shutdown. If you enable this security option, the
                                                                                                                                  hibernation file (hiberfil.sys) is also zeroed out when
                                                                                                                                  hibernation is disabled on a portable computer system.




Computer                    System Cryptography: Force (Not Applicable)   (Not applicable)   CCE-647   MACHINE\Software\Poli      This security setting determines if users' private keys require
Configuration\Windows       strong key protection for                                                  cies\Microsoft\Cryptogra   a password to be used.
                                                                                                                                  (Definition of Private Keys: The secret half of a cryptographic
Settings\Security           user keys stored on the                                                    phy\ForceKeyProtection     key pair that is used with a public key algorithm. Private keys
Settings\Local              computer                                                                                              are typically used to decrypt a symmetric session key, digitally
Policies\Security Options                                                                                                         sign data, or decrypt data that has been encrypted with the
                                                                                                                                  corresponding public key.require a password to be used.).
                                                                                                                                  The options are:
                                                                                                                                  -User input is not required when new keys are stored and
                                                                                                                                  used
                                                                                                                                  -User is prompted when the key is first used
                                                                                                                                  -User must enter a password each time they use a key
                                                                                                                                  Default: Not defined. Note: If enabled, requires entry of a
                                                                                                                                  key to access EFS or S/MIME.


Computer                    System cryptography: Use     Enabled          Enabled            CCE-55    MACHINE\System\Curre       Determines if the TLS/SSL Security Provider supports only
Configuration\Windows       FIPS compliant algorithms                                                  ntControlSet\Control\Lsa   the LS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In
                                                                                                                                  effect, this means that the provider only supports the TLS
Settings\Security           for encryption, hashing, and                                               \FIPSAlgorithmPolicy       protocol as a client and as a server (if applicable). It uses only
Settings\Local              signing                                                                                               the Triple DES encryption algorithm for the TLS traffic
Policies\Security Options                                                                                                         encryption, only the RSA public key algorithm for the TLS key
                                                                                                                                  exchange and authentication, and only the SHA-1 hashing
                                                                                                                                  algorithm for the TLS hashing requirements. For Encrypting
                                                                                                                                  File System Service (EFS), it supports only the Triple DES
                                                                                                                                  encryption algorithm for encrypting file data supported by the
                                                                                                                                  Windows NTFS File System. By default, the Encrypting File
                                                                                                                                  System Service (EFS) uses the DESX algorithm for
                                                                                                                                  encrypting file data. Setting to “Enabled” causes problems
                                                                                                                                  documented in MS KB article “Can't browse to SSL sites after
                                                                                                                                  enabling FIPS compliant cryptography”.




Computer                    System objects: Default      Not Defined      Object Creator     CCE-575   MACHINE\System\Curre       Determines whether the Administrators group or an object
Configuration\Windows       owner for objects created by                                               ntControlSet\Control\Lsa   creator is the default owner of any system objects that are
                                                                                                                                  created.
Settings\Security           members of the                                                             \NoDefaultAdminOwner       Default: Administrators group (on servers).
Settings\Local              Administrators group
Policies\Security Options
Computer                    System objects: Require       Enabled       Enabled            CCE-300    MACHINE\System\Curre        Determines whether case insensitivity is enforced for all
Configuration\Windows       case insensitivity for non-                                               ntControlSet\Control\Ses    subsystems. The Win32 subsystem is case insensitive.
                                                                                                                                  However, the kernel supports case sensitivity for other
Settings\Security           Windows subsystems                                                        sion                        subsystems, such as POSIX. If this setting is enabled, case
Settings\Local                                                                                        Manager\Kernel\ObCase       insensitivity is enforced for all directory objects, symbolic links,
Policies\Security Options                                                                             Insensitive                 and IO objects, including file objects. Disabling this setting
                                                                                                                                  does not allow the Win32 subsystem to become case
                                                                                                                                  sensitive.

Computer                    System objects: Strengthen Enabled          Enabled            CCE-508    MACHINE\System\Curre        Determines the strength of the default discretionary access
Configuration\Windows       default permissions of                                                    ntControlSet\Control\Ses    control list (DACL) for objects.
                                                                                                                                  Active Directory maintains a global list of shared system
Settings\Security           internal system objects (e.g.,                                            sion                        resources, such as DOS device names, mutexes, and
Settings\Local              Symbolic Links)                                                           Manager\ProtectionMode      semaphores. In this way, objects can be located and shared
Policies\Security Options                                                                                                         among processes. Each type of object is created with a
                                                                                                                                  default DACL that specifies who can access the objects and
                                                                                                                                  what permissions are granted. If this policy is enabled, the
                                                                                                                                  default DACL is stronger, allowing users who are not
                                                                                                                                  administrators to read shared objects but not allowing these
                                                                                                                                  users to modify shared objects that they did not create.


Computer                    System settings: Optional     Not Defined   (Not applicable)   CCE-48     MACHINE\System\Curre        This security setting determines which subsystems are used
Configuration\Windows       subsystems                                                                ntControlSet\Control\Ses    to support your applications. With this security setting, you
                                                                                                                                  can specify as many subsytems to support as your
Settings\Security                                                                                     sion                        environment demands.
Settings\Local                                                                                        Manager\SubSystems\o        Default: POSIX.
Policies\Security Options                                                                             ptional
Computer                    System settings: Use          Not Defined   (Not applicable)   CCE-572    MACHINE\Software\Poli       This security setting determines if digital certificates are
Configuration\Windows       Certificate Rules on                                                      cies\Microsoft\Windows\     processed when a user or process attempts to run software
                                                                                                                                  with an .exe file name extension. This security setting is used
Settings\Security           Windows Executables for                                                   Safer\CodeIdentifiers\Aut   to enable or disable certificate rules, a type of software
Settings\Local              Software Restriction Policies                                             henticodeEnabled            restriction policies rule. With software restriction policies, you
Policies\Security Options                                                                                                         can create a certificate rule that will allow or disallow software
                                                                                                                                  that is signed by Authenticode to run, based on the digital
                                                                                                                                  certificate that is associated with the software. In order for
                                                                                                                                  certificate rules to take effect, you must enable this security
                                                                                                                                  setting.
                                                                                                                                  When certificate rules are enabled, software restriction
                                                                                                                                  policies will check a certificate revocation list (CRL) to make
                                                                                                                                  sure the software's certificate and signature are valid. This
                                                                                                                                  may decrease performance when start signed programs. You
                                                                                                                                  can disable this feature. On Trusted Publishers Properties,
                                                                                                                                  clear the Publisher and Timestamp check boxes.
                                                                                                                                  Default: Disabled.




Computer                    User Account Control:         Enabled       (Not applicable)   CCE-1078   MACHINE\Software\Micr       There are two possible values:
Configuration\Windows       Admin Approval Mode for                                                   osoft\Windows\CurrentV      -The system will only give UIAccess privileges and user rights
                                                                                                                                  to executables that are launched from under
Settings\Security           the Built-in Administrator                                                ersion\Policies\System\E    %ProgramFiles% or %windir%. The ACLs on these
Settings\Local              account                                                                   nableSecureUIAPaths         directories ensure that the executable is not user-modifiable
Policies\Security Options                                                                                                         (which would otherwise allow elevation of privilege). UIAccess
                                                                                                                                  executables launched from other locations will launch without
                                                                                                                                  additional privileges (i.e. they will run "asInvoker").
                                                                                                                                  - Disabled - The location checks are not done, so all UIAccess
                                                                                                                                  applications will be launched with the user's full access token
                                                                                                                                  upon user approval.
                                                                                                                                   Default: Enabled
Computer                    User Account Control:          Prompt for consent       (Not applicable)   CCE-1063   MACHINE\Software\Micr       Behavior of the UAC elevation prompt when the user is in the
Configuration\Windows       Behavior of the elevation                                                             osoft\Windows\CurrentV      Administrators Group. Below are the configuration options:
                                                                                                                                              -Prompt for consent: An operation that requires elevation of
Settings\Security           prompt for administrators in                                                          ersion\Policies\System\Fi   privilege will prompt the Consent Admin to select either
Settings\Local              Admin Approval Mode                                                                   lterAdministratorToken      “Permit” or “Deny”. If the Consent admin selects Permit the
Policies\Security Options                                                                                                                     operation will continue with their highest available privilege.
                                                                                                                                              “Prompt for consent” removes the inconvenience of requiring
                                                                                                                                              that users enter their name and password to perform a
                                                                                                                                              privilege task.
                                                                                                                                              -Prompt for credentials: An operation that requires elevation
                                                                                                                                              of privilege will prompt the Consent Admin to enter their user
                                                                                                                                              name and password. If the user enters valid credentials the
                                                                                                                                              operation will continue with the applicable privilege.
                                                                                                                                              -No Prompt: This option allows the Consent Admin to perform
                                                                                                                                              an operation that requires elevation without consent or
                                                                                                                                              credentials. Note: this option should be rarely if ever used, as
                                                                                                                                              it opens up silent avenues of attack which can be launched
                                                                                                                                              without the knowledge of the administrator.
                                                                                                                                              Default: Prompt for Consent.
                                                                                                                                              Default:
                                                                                                                                              -Disabled for new installations and for upgrades where the
                                                                                                                                              built-in Administrator is NOT the only local active administrator
                                                                                                                                              on the computer. The built-in Administrator account is
                                                                                                                                              disabled by default for installations and upgrades on domain-
                                                                                                                                              joined computers.
                                                                                                                                              -Enabled for upgrades when Windows Vista determines that
                                                                                                                                              the built-in Administrator account is the only active local
Computer                    User Account Control:          Prompt for credentials   (Not applicable)   CCE-1067   MACHINE\Software\Micr       When Admin Approval Mode is operational for an
Configuration\Windows       Behavior of the elevation                                                             osoft\Windows\CurrentV      Administrator, there are three possible values:
                                                                                                                                              -No prompt – The elevation occurs automatically and silently.
Settings\Security           prompt for standard users                                                             ersion\Policies\System\C    This option allows an administrator in Admin Approval Mode
Settings\Local                                                                                                    onsentPromptBehaviorA       to perform an operation that requires elevation without
Policies\Security Options                                                                                         dmin                        consent or credentials. Note: this scenario should only be
                                                                                                                                              used in the most constrained environments and is NOT
                                                                                                                                              recommended.
                                                                                                                                              -Prompt for consent – An operation that requires a full
                                                                                                                                              administrator access token will prompt the administrator in
                                                                                                                                              Admin Approval Mode to select either Continue or Cancel. If
                                                                                                                                              the administrator clicks Continue, the operation will continue
                                                                                                                                              with their highest available privilege.
                                                                                                                                              -Prompt for credentials – An operation that requires a full
                                                                                                                                              administrator access token will prompt an administrator in
                                                                                                                                              Admin Approval Mode to enter an administrator user name
                                                                                                                                              and password. If the user enters valid credentials, the
                                                                                                                                              operation will continue with the applicable privilege.
                                                                                                                                              Default: Prompt for Consent




Computer                    User Account Control:          Enabled                  (Not applicable)   CCE-1128   MACHINE\Software\Micr       Behavior of the UAC elevation prompt when the user is in the
Configuration\Windows       Detect application                                                                    osoft\Windows\CurrentV      Users group. Below are the configuration options:
                                                                                                                                              -Prompt for credentials: An operation that requires elevation
Settings\Security           installations and prompt for                                                          ersion\Policies\System\C    of privilege will prompt the user to enter an administrative user
Settings\Local              elevation                                                                             onsentPromptBehaviorU       name and password. If the user enters valid credentials the
Policies\Security Options                                                                                         ser                         operation will continue with the applicable privilege.
                                                                                                                                              -No Prompt: This option results in an “access denied” error
                                                                                                                                              message being returned to the standard user when they try to
                                                                                                                                              perform an operation that requires elevation of privilege. Most
                                                                                                                                              enterprises running desktops as standard user will configure
                                                                                                                                              the “No prompt” policy to reduce help desk calls.
                                                                                                                                              Default: Home: Prompt for Credentials, Enteprrise: No
                                                                                                                                              Prompt
Computer                    User Account Control: Only Disabled     (Not applicable)   CCE-1104   MACHINE\Software\Micr      There are two possible values for controlling UAC behavior
Configuration\Windows       elevate executables that are                                          osoft\Windows\CurrentV     when an application installation is launched
                                                                                                                             -Enabled: Application installation packages that require an
Settings\Security           signed and validated                                                  ersion\Policies\System\E   elevation of privilege to install will be heuristically detected
Settings\Local                                                                                    nableInstallerDetection    and trigger the configured elevation prompt UX. The user is
Policies\Security Options                                                                                                    prompted for consent or credentials when Windows Vista
                                                                                                                             detects an installer.
                                                                                                                             -Disabled: Enterprises running standard users desktops that
                                                                                                                             leverage delegated installation technologies like Group Policy
                                                                                                                             Software Install (GPSI) or SMS will disable this feature. In this
                                                                                                                             case, installer detection is unnecessary and thus not required.
                                                                                                                             Default: Enabled


Computer                    User Account Control: Only Enabled      (Not applicable)   CCE-986    MACHINE\Software\Micr      There are two possible values:
Configuration\Windows       elevate UIAccess                                                      osoft\Windows\CurrentV     -Enabled - Only signed executable files will run. This policy will
                                                                                                                             enforce PKI signature checks on any interactive application
Settings\Security           applications that are                                                 ersion\Policies\System\V   that requests elevation. Enterprise administrators can control
Settings\Local              installed in secure locations                                         alidateAdminCodeSignat     the administrative application allowed list through the
Policies\Security Options                                                                         ures                       population of certificates in the local computers Trusted
                                                                                                                             Publisher Store.
                                                                                                                             -Disabled - Both signed and unsigned code will be run.
                                                                                                                             Default: Disabled


Computer                    User Account Control: Run     Enabled   (Not applicable)   CCE-1050   MACHINE\Software\Micr      There are two possible values:
Configuration\Windows       all administrators in Admin                                           osoft\Windows\CurrentV     -Enabled - Both administrators and standard users will be
                                                                                                                             prompted when attempting to perform administrative
Settings\Security           Approval Mode                                                         ersion\Policies\System\E   operations. The prompt style is dependent on policy.
Settings\Local                                                                                    nableLUA                    -Disabled - UAC is essentially "turned off" and the AIS
Policies\Security Options                                                                                                    service is disabled from automatically starting. The Windows
                                                                                                                             Security Center will also notify the logged on user that the
                                                                                                                             overall security of the operating system has been reduced
                                                                                                                             and will give the user the ability to self- enable UAC.
                                                                                                                             Default: Enabled
                                                                                                                             Note: Changing this setting will require a system reboot.
                                                                                                                             Disabling this policy turns UAC “off.” Files and folders are no
                                                                                                                             longer virtualized to per-user locations for non-UAC compliant
                                                                                                                             applications and all local administrators are automatically
                                                                                                                             logged in with a full administrative access token. Disabling this
                                                                                                                             setting essentially causes Windows Vista to revert to the
                                                                                                                             Windows XP user model. While some non-UAC compliant
                                                                                                                             applications may recommend turning UAC off, it is not
                                                                                                                             necessary to do so since Windows Vista includes folder and
                                                                                                                             registry virtualization for pre-Windows Vista or non-UAC
                                                                                                                             compliant applications by default. Turning UAC off opens your
                                                                                                                             computer to system-wide malware installs, and limits the
                                                                                                                             application compatibility improvements which result from file
                                                                                                                             and registry virtualization.
                                                                                                                             There are two possible values:
Computer                    User Account Control:        Enabled    (Not applicable)   CCE-230    MACHINE\Software\Micr
Configuration\Windows       Switch to the secure desktop                                          osoft\Windows\CurrentV     -Enabled - Displays the UAC elevation prompt on the secure
                                                                                                                             desktop. The secure desktop can only receive messages from
Settings\Security           when prompting for elevation                                          ersion\Policies\System\P   Windows processes, which eliminates messages from
Settings\Local                                                                                    romptOnSecureDesktop       malicious software.
Policies\Security Options                                                                                                    -Disabled - The UAC elevation prompt is displayed on the
                                                                                                                             interactive (user) desktop.
                                                                                                                              Default: Enabled
Computer                    User Account Control:          Enabled          (Not applicable)   CCE-673   MACHINE\Software\Micr      There are two possible values:
Configuration\Windows       Virtualize file and registry                                                 osoft\Windows\CurrentV     -Enabled - This policy enables the redirection of pre-Windows
                                                                                                                                    Vista application write failures to defined locations in both the
Settings\Security           write failures to per-user                                                   ersion\Policies\System\E   registry and file system. This feature mitigates those
Settings\Local              locations                                                                    nableVirtualization        applications that historically ran as administrator and wrote
Policies\Security Options                                                                                                           runtime application data back to %ProgramFiles%; %Windir%;
                                                                                                                                    %Windir%\system32; or HKLM\Software\.... This setting
                                                                                                                                    should be kept enabled in environments that utilize non-UAC
                                                                                                                                    compliant software. Applications that lack an application
                                                                                                                                    compatibility database entry or a requested execution level
                                                                                                                                    marking in the application manifest are not UAC compliant.
                                                                                                                                    -Disabled - Virtualization facilitates the running of pre-
                                                                                                                                    Windows Vista (legacy) applications that historically failed to
                                                                                                                                    run as a standard user. An administrator running only
                                                                                                                                    Windows Vista compliant applications may choose to disable
                                                                                                                                    this feature as it is unnecessary. Non-UAC compliant
                                                                                                                                    applications that attempt to write %ProgramFiles%;
                                                                                                                                    %Windir%; %Windir%\system32; or HKLM\Software\.... will
                                                                                                                                    silently fail if this setting is disabled.
                                                                                                                                    Default: Enabled




Computer                     Access Credential Manager Not Defined          (Not Applicable)   CCE-389                              Allows a user or group to establish a trusted connection to
Configuration\Windows        as a trusted caller                                                                                    Credential Manager. This security setting is used by
                                                                                                                                    Credential Manager during Backup and Restore. No accounts
Settings\Security                                                                                                                   should have this user right, as it is only assigned to Winlogon.
Settings\Local Policies\User                                                                                                        Users' saved credentials might be compromised if this user
Rights Assignment                                                                                                                   right is assigned to other entities.


Computer                     Access this computer from     Administrators   Administrators     CCE-532                              Determines which users and groups are allowed to connect to
Configuration\Windows        the network                                                                                            the computer over the network.
                                                                                                                                    Default:
Settings\Security                                                                                                                   • On workstations and servers:
Settings\Local Policies\User                                                                                                        • Administrators
Rights Assignment                                                                                                                   • Backup Operators
                                                                                                                                    • Power Users
                                                                                                                                    • Users
                                                                                                                                    • Everyone
                                                                                                                                    • On domain controllers:
                                                                                                                                    • Administrators
                                                                                                                                    • Authenticated Users
                                                                                                                                    • Everyone

                                                                                                                                    Impact of turning off: Bocks deploying IPSec using Kerberos --
                                                                                                                                    machines have to be able to authorize to create the IPSec
                                                                                                                                    session. From KB Article 823659: Examples of such network
                                                                                                                                    operations include the replication of Active Directory between
                                                                                                                                    domain controllers in a common domain or forest,
                                                                                                                                    authentication requests to domain controllers from users and
                                                                                                                                    from computers, and access to shared folders, to printers,
                                                                                                                                    and to other system services that are located on remote
                                                                                                                                    computers on the network.
Computer                     Act as part of the operating   (None)                           (None)                   CCE-162   This policy allows a process to authenticate as any user, and
Configuration\Windows        system                                                                                             therefore gain access to the same resources as any user.
                                                                                                                                Only low-level authentication services should require this
Settings\Security                                                                                                               privilege.
Settings\Local Policies\User                                                                                                    Potential access is not limited to the default user associations,
Rights Assignment                                                                                                               because the calling process might request that arbitrary
                                                                                                                                additional access permissions be put in the access token. A
                                                                                                                                greater concern is that the calling process can build an
                                                                                                                                anonymous token that can provide any and all access
                                                                                                                                permissions. In addition, the anonymous token does not
                                                                                                                                provide a primary identity for tracking events in the audit log.
                                                                                                                                Processes that require this privilege should use the
                                                                                                                                LocalSystem account, which already includes this privilege,
                                                                                                                                rather than using a separate user account with this privilege
                                                                                                                                specially assigned.



Computer                     Add workstations to a          Not Defined                      Not Defined              CCE-183   Determines which groups or users can add workstations to a
Configuration\Windows        domain                                                                                             domain.
                                                                                                                                This policy is valid only on domain controllers. By default, any
Settings\Security                                                                                                               authenticated user has this right and can create up to 10
Settings\Local Policies\User                                                                                                    computer accounts in the domain.
Rights Assignment                                                                                                               Adding a computer account to the domain allows the
                                                                                                                                computer to participate in Active Directory-based networking.
                                                                                                                                For example, adding a workstation to a domain enables that
                                                                                                                                workstation to recognize accounts and groups that exist in
                                                                                                                                Active Directory.
                                                                                                                                Default: Authenticated Users.

Computer                     Adjust memory quotas for a     Administrators, Local Service,   NETWORK SERVICE, LOCAL CCE-807     Determines which accounts can use a process with Write
Configuration\Windows        process                        Network Service                  SERVICE, Administrators            Property access to another process to increase the processor
                                                                                                                                quota assigned to the other process.
Settings\Security                                                                                                               This user right is defined in the Default Domain Controller
Settings\Local Policies\User                                                                                                    Group Policy object (GPO) and in the local security policy of
Rights Assignment                                                                                                               workstations and servers.


Computer                     Allow log on locally           Administrators, Users            (Not Applicable)         CCE-965   This logon right determines which users can interactively log
Configuration\Windows                                                                                                           on to this computer. Logons initiated by pressing
                                                                                                                                CTRL+ALT+DEL sequence on the attached keyboard
Settings\Security                                                                                                               requires the user to have this logon right. Additionally this
Settings\Local Policies\User                                                                                                    logon right may be required by some service or administrative
Rights Assignment                                                                                                               applications that can log on users. If you define this policy for
                                                                                                                                a user or group, you must also give the Administrators group
                                                                                                                                this right.
                                                                                                                                Default on workstations and servers: Administrators
                                                                                                                                Backup Operators, Users.
                                                                                                                                Default on domain controllers: Account Operators
                                                                                                                                Administrators, Backup Operators, Print Operators, Server
                                                                                                                                Operators.

Computer                     Allow log on through           Administrators, Remote           Administrators, Remote   CCE-883   Determines which users or groups have permission to log on
Configuration\Windows        Terminal Services              Desktop Users                    Desktop Users                      as a Terminal Services client.
                                                                                                                                Default: On workstation and servers: Administrators, Remote
Settings\Security                                                                                                               Desktop Users. On domain controllers: Administrators.
Settings\Local Policies\User
Rights Assignment

Computer                     Backup files and directories Administrators                     Administrators           CCE-931   Determines which users can circumvent file and directory
Configuration\Windows                                                                                                           permissions for the purposes of backing up the system.
                                                                                                                                Specifically, this privilege is similar to granting the following
Settings\Security                                                                                                               permissions to the user or group in question on all files and
Settings\Local Policies\User                                                                                                    folders on the system:
Rights Assignment                                                                                                               -Traverse Folder/Execute File
                                                                                                                                -List Folder/Read Data
                                                                                                                                -Read Attributes
                                                                                                                                -Read Extended Attributes
                                                                                                                                -Read Permissions
                                                                                                                                Default: Administrators and Backup Operators.
Computer                     Bypass traverse checking   Administrators, Users, Local     Administrators, Users   CCE-376    This user right determines which users can traverse directory
Configuration\Windows                                   Service, Network Service                                            trees even though the user may not have permissions on the
                                                                                                                            traversed directory. This privilege does not allow the user to
Settings\Security                                                                                                           list the contents of a directory, only to traverse directories.
Settings\Local Policies\User                                                                                                This user right is defined in the Default Domain Controller
Rights Assignment                                                                                                           Group Policy object (GPO) and in the local security policy of
                                                                                                                            workstations and servers.
                                                                                                                            Default on workstations and servers: Administrators, Backup
                                                                                                                            Operators, Users, Everyone, Local Service, Network Service



Computer                     Change the system time     LOCAL SERVICE,                   Administrators          CCE-799    Determines which users and groups can change the time and
Configuration\Windows                                   Administrators                                                      date on the internal clock of the computer.
                                                                                                                            This user right is defined in the Default Domain Controller
Settings\Security                                                                                                           Group Policy object (GPO) and in the local security policy of
Settings\Local Policies\User                                                                                                workstations and servers.
Rights Assignment                                                                                                           Default on workstations and servers: Administrators , Power
                                                                                                                            Users

Computer                     Change the time zone       Local Service, Administrators,   (Not Applicable)        CCE-470    This setting determines which users can change the time
Configuration\Windows                                   Users                                                               zone of the computer. Especially useful for mobile workers.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Create a pagefile          Administrators                   Administrators          CCE-895    Determines which users and groups can create and change
Configuration\Windows                                                                                                       the size of a pagefile. You can create a pagefile by specifying
                                                                                                                            a paging file size for a given drive in System Properties
Settings\Security                                                                                                           Performance Options.
Settings\Local Policies\User
Rights Assignment

Computer                     Create a token object      (None)                           (None)                  CCE-926    Determines which accounts can be used by processes to
Configuration\Windows                                                                                                       create a token that can then be used to get access to any
                                                                                                                            local resources when the process uses NtCreateToken() or
Settings\Security                                                                                                           other token-creation APIs. It is generally recommended that
Settings\Local Policies\User                                                                                                processes requiring this privilege use the LocalSystem
Rights Assignment                                                                                                           account, which already includes this privilege, rather than
                                                                                                                            using a separate user account with this privilege specially
                                                                                                                            assigned.

Computer                     Create global objects      Administrators, LOCAL            Administrators, LOCAL   CCE-383    This user right is required for a user account to create global
Configuration\Windows                                   SERVICE, NETWORK                 SERVICE, NETWORK                   objects during Terminal Services sessions. Users can still
                                                                                                                            create session-specific objects without being assigned this
Settings\Security                                       SERVICE, SERVICE                 SERVICE, SERVICE                   user right.
Settings\Local Policies\User                                                                                                Caution: Assigning this user right can be a security risk.
Rights Assignment                                                                                                           Assign this user right only to trusted users.
                                                                                                                            Default: Administrator, Local Service, Network Service
                                                                                                                            Service

Computer                     Create permanent shared    (None)                           (None)                  CCE-335    This user right determines which accounts can be used by
Configuration\Windows        objects                                                                                        processes to create a directory object using the object
                                                                                                                            manager. This user right is used internally by the operating
Settings\Security                                                                                                           system and is useful to kernel-mode components that extend
Settings\Local Policies\User                                                                                                the object namespace. Because components that are running
Rights Assignment                                                                                                           in kernel mode already have this user right assigned to them,
                                                                                                                            it is not necessary to specifically assign it.
                                                                                                                            Default: None.


Computer                     Create Symbolic Links      Administrators                   (Not Applicable)        CCE-1176   This user right is required for a user account to create global
Configuration\Windows                                                                                                       objects during Terminal Services sessions. Users can still
                                                                                                                            create session-specific objects without being assigned this
Settings\Security                                                                                                           user right.
Settings\Local Policies\User                                                                                                Caution: Assigning this user right can be a security risk.
Rights Assignment                                                                                                           Assign this user right only to trusted users.
                                                                                                                            Default: Administrators, Local Service, Network Service
                                                                                                                            Service
Computer                     Debug programs               (None)        Administrators             CCE-842   Determines which users can attach a debugger to any
Configuration\Windows                                                                                        process. This privilege provides powerful access to sensitive
                                                                                                             and critical operating system components.
Settings\Security                                                                                            Note: older version of Update.exe required this privilege; new
Settings\Local Policies\User                                                                                 version eliminates requirement KB 830846. Software
Rights Assignment                                                                                            Developers often require this privilege; grant that by
                                                                                                             exception.

Computer                     Deny access to this          Guests        Guests, Support_388945a0   CCE-898   Determines which users are prevented from accessing a
Configuration\Windows        computer from the network                                                       computer over the network. This policy setting supersedes the
                                                                                                             Access this computer from the network policy setting if a user
Settings\Security                                                                                            account is subject to both policies.
Settings\Local Policies\User                                                                                 Default on workstations and servers: Administrators, Backup
Rights Assignment                                                                                            Operators, Power Users, Users, Everyone


Computer                     Deny log on as a batch job   Guests        Guests, Support_388945a0   CCE-165   Determines which accounts are prevented from being able to
Configuration\Windows                                                                                        log on as a batch job. This policy setting supersedes the Log
                                                                                                             on as a batch job policy setting if a user account is subject to
Settings\Security                                                                                            both policies.
Settings\Local Policies\User
Rights Assignment

Computer                     Deny log on as a service     (None)        (None)                     CCE-597   Determines which service accounts are prevented from
Configuration\Windows                                                                                        registering a process as a service. This policy setting
                                                                                                             supersedes the Log on as a service policy setting if an
Settings\Security                                                                                            account is subject to both policies.
Settings\Local Policies\User
Rights Assignment

Computer                     Deny log on locally          Guests        Guests, Support_388945a0   CCE-64    Determines which users are prevented from logging on at the
Configuration\Windows                                                                                        computer. This policy setting supersedes the Log on locally
                                                                                                             policy setting if an account is subject to both policies.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Deny log on through          Guests        Guests                     CCE-108   Determines which users and groups are prohibited from
Configuration\Windows        Terminal Services                                                               logging on as a Terminal Services client.
                                                                                                             Default: None.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Enable computer and user     Not Defined   Not Defined                CCE-15    Determines which users can set the Trusted for Delegation
Configuration\Windows        accounts to be trusted for                                                      setting on a user or computer object. The user or object that
                                                                                                             is granted this privilege must have write access to the account
Settings\Security            delegation                                                                      control flags on the user or computer object. A server process
Settings\Local Policies\User                                                                                 running on a computer (or under a user context) that is
Rights Assignment                                                                                            trusted for delegation can access resources on another
                                                                                                             computer using a client's delegated credentials, as long as the
                                                                                                             client's account does not have the Account cannot be
                                                                                                             delegated account control flag set. This user right is defined
                                                                                                             in the Default Domain Controller Group Policy object (GPO)
                                                                                                             and in the local security policy of workstations and servers.
                                                                                                             Default: Administrators on domain controllers.
                                                                                                             Note: Misuse of this privilege, or of the Trusted for Delegation
                                                                                                             setting, could make the network vulnerable to sophisticated
                                                                                                             attacks using Trojan horse programs that impersonate
                                                                                                             incoming clients and use their credentials to gain access to
                                                                                                             network resources.
Computer                     Force shutdown from a          Administrators                  Administrators           CCE-754    Determines which users are allowed to shut down a computer
Configuration\Windows        remote system                                                                                      from a remote location on the network. This user right is
                                                                                                                                defined in the Default Domain Controller Group Policy object
Settings\Security                                                                                                               (GPO) and in the local security policy of workstations and
Settings\Local Policies\User                                                                                                    servers.
Rights Assignment                                                                                                               Default: On workstations and servers: Administrators. On
                                                                                                                                domain controllers: Administrators, Server Operators.


Computer                     Generate security audits       Network Service, Local Service NETWORK SERVICE, LOCAL CCE-939       Determines which accounts can be used by a process to add
Configuration\Windows                                                                      SERVICE                              entries to the security log. The security log is used to trace
                                                                                                                                unauthorized system access.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Impersonate a client after     Administrators, SERVICE,       SERVICE, Administrators   CCE-304    Allows an application that is running under user context to
Configuration\Windows        authentication                 Local Service, Network Service                                      make RPC calls, named pipes calls. Application can
                                                                                                                                impersonate a client after authentication.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Increase a process working     Administrators, Local Service   (Not Applicable)         CCE-1027   Allocate more memory for applications that run in the context
Configuration\Windows        set                                                                                                of user.

Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Increase scheduling priority   Administrators                  Administrators           CCE-349    Determines which accounts can use a process with Write
Configuration\Windows                                                                                                           Property access to another process to increase the execution
                                                                                                                                priority assigned to the other process. A user with this
Settings\Security                                                                                                               privilege can change the scheduling priority of a process
Settings\Local Policies\User                                                                                                    through the Task Manager user interface.
Rights Assignment

Computer                     Load and unload device         Administrators                  Administrators           CCE-860    Determines which users can dynamically load and unload
Configuration\Windows        drivers                                                                                            device drivers. This privilege is necessary for installing drivers
                                                                                                                                for Plug and Play devices.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Lock pages in memory           (None)                          (None)                   CCE-749    This policy determines which accounts can use a process to
Configuration\Windows                                                                                                           keep data in physical memory, which prevents the system
                                                                                                                                from paging the data to virtual memory on disk. Exercising this
Settings\Security                                                                                                               privilege could significantly affect system performance by
Settings\Local Policies\User                                                                                                    decreasing the amount of available random access memory
Rights Assignment                                                                                                               (RAM).


Computer                     Log on as a batch job          (None)                          (None)                   CCE-177    Allows a user to be logged on by means of a batch-queue
Configuration\Windows                                                                                                           facility. For example, when a user submits a job by means of
                                                                                                                                the task scheduler, the task scheduler logs that user on as a
Settings\Security                                                                                                               batch user rather than as an interactive user.
Settings\Local Policies\User
Rights Assignment

Computer                     Log on as a service            (None)                          NETWORK SERVICE, LOCAL CCE-216      Determines which service accounts can register a process as
Configuration\Windows                                                                       SERVICE                             a service.
                                                                                                                                Note: SQL, Exchange, etc. require this and add upon
Settings\Security                                                                                                               installation
Settings\Local Policies\User
Rights Assignment
Computer                     Log on locally               (Not Applicable)          Administrators, Users      CCE-965    Determines which accounts can log in interactively at the
Configuration\Windows                                                                                                     console.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Manage auditing and          Administrators            Administrators             CCE-850    Determines which users can specify object access auditing
Configuration\Windows        security log                                                                                 options for individual resources, such as files, Active Directory
                                                                                                                          objects, and registry keys. This policy does not allow a user to
Settings\Security                                                                                                         enable file and object access auditing. For such auditing to be
Settings\Local Policies\User                                                                                              enabled, the Audit object access setting in Computer
Rights Assignment                                                                                                         Configuration\Windows Settings\Security Settings\Local
                                                                                                                          Policies\Audit Policies must be configured. You can view
                                                                                                                          audited events in the security log of the Event Viewer. A user
                                                                                                                          with this privilege can also view and clear the security log.



Computer                     Modify an object label       (None)                    (Not Applicable)           CCE-1023   Required to modify the mandatory integrity level of an object.
Configuration\Windows
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Modify firmware environment Administrators             Administrators             CCE-17     Determines which security groups can modify system-wide
Configuration\Windows        values                                                                                       environment values.

Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Perform volume               Administrators            Administrators             CCE-314    Determines which users and groups have the authority to run
Configuration\Windows        maintenance tasks                                                                            volume maintenance tasks, such as Disk Cleanup and Disk
                                                                                                                          Defragmenter.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Profile single process       Administrators            Administrators             CCE-260    Determines which users can use performance monitoring
Configuration\Windows                                                                                                     tools to monitor the performance of nonsystem processes.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Profile system performance   Administrators            Administrators             CCE-599    Determines which users can use performance monitoring
Configuration\Windows                                                                                                     tools to monitor the performance of system processes.

Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Remove computer from         Administrators, Users     Administrators, Users      CCE-656    Determines whether a user can undock a portable computer
Configuration\Windows        docking station                                                                              from its docking station without logging on. If this policy is
                                                                                                                          enabled, the user must log on before removing the portable
Settings\Security                                                                                                         computer from its docking station. If this policy is disabled, the
Settings\Local Policies\User                                                                                              user may remove the portable computer from its docking
Rights Assignment                                                                                                         station without logging on.


Computer                     Replace a process level      Network Service, Local Service NETWORK SERVICE, LOCAL CCE-667   Determines which user accounts can initiate a process to
Configuration\Windows        token                                                       SERVICE                          replace the default token associated with a started sub-
                                                                                                                          process.
Settings\Security
Settings\Local Policies\User
Rights Assignment
Computer                     Restore files and directories Administrators         Administrators          CCE-553   Determines which users can circumvent file and directory
Configuration\Windows                                                                                               permissions when restoring backed up files and directories,
                                                                                                                    and determines which users can set any valid security
Settings\Security                                                                                                   principal as the owner of an object.
Settings\Local Policies\User                                                                                        Default: Workstations and servers: Administrators, Backup
Rights Assignment                                                                                                   Operators. Domain controllers: Administrators, Backup
                                                                                                                    Operators, Server Operators.

Computer                     Shut down the system         Administrators, Users   Administrators, Users   CCE-839   Determines which users who are logged on locally to the
Configuration\Windows                                                                                               computer can shut down the operating system using the Shut
                                                                                                                    Down command.
Settings\Security                                                                                                   Default: Workstations and servers: Administrators, Backup
Settings\Local Policies\User                                                                                        Operators, Power Users, Users.
Rights Assignment                                                                                                   Domain controllers: Account Operators, Administrators,
                                                                                                                    Backup Operators, Server Operators, Print Operators.

Computer                     Synchronize directory        (None)                  (None)                  CCE-381   Required for a domain controller to use the LDAP directory
Configuration\Windows        service data                                                                           synchronization services. This privilege enables the holder to
                                                                                                                    read all objects and properties in the directory, regardless of
Settings\Security                                                                                                   the protection on the objects and properties. By default, it is
Settings\Local Policies\User                                                                                        assigned to the Administrator and LocalSystem accounts on
Rights Assignment                                                                                                   domain controllers.


Computer                     Take ownership of files or   Administrators          Administrators          CCE-492   Determines which users can take ownership of any securable
Configuration\Windows        other objects                                                                          object in the system, including Active Directory objects, files
                                                                                                                    and folders, printers, registry keys, processes, and threads.
Settings\Security
Settings\Local Policies\User
Rights Assignment

Computer                     Alerter                      Not Defined             Disabled                CCE-487
Configuration\Windows
Settings\Security
Settings\System Services
Computer                     Background Intelligent       Not Defined             Manual                  CCE-148
Configuration\Windows        Transfer Service
Settings\Security
Settings\System Services
Computer                     ClipBook                     Not Defined             Disabled                CCE-954
Configuration\Windows
Settings\Security
Settings\System Services
Computer                     Computer Browser             Not Defined             Disabled                CCE-294
Configuration\Windows
Settings\Security
Settings\System Services
Computer                     Error Reporting Service      Not Defined             Disabled                CCE-774
Configuration\Windows
Settings\Security
Settings\System Services
Computer                     Fast User Switching          Not Defined             Disabled                CCE-800
Configuration\Windows        Compatibility
Settings\Security
Settings\System Services
Computer                     Fax                          Not Defined             Disabled                CCE-78
Configuration\Windows
Settings\Security
Settings\System Services
Computer                     FTP Publishing Service       Not Defined             Disabled                CCE-712
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Indexing Service           Not Defined    Disabled      CCE-738
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Messenger                  Not Defined    Disabled      CCE-729
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   NetMeeting Remote Desktop Not Defined     Disabled      CCE-232
Configuration\Windows      Sharing
Settings\Security
Settings\System Services
Computer                   Network DDE                Not Defined    Disabled      CCE-217
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Network DDE DSDM           Not Defined    Disabled      CCE-768
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Remote Access Connection Not Defined      Not Defined   CCE-750
Configuration\Windows      Manager
Settings\Security
Settings\System Services
Computer                   Routing and Remote Access Not Defined     Disabled      CCE-223
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   SSDP Discovery Service     Not Defined    Disabled      CCE-940
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Task Scheduler             Not Defined    Not Defined   CCE-40
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Telnet                     Not Defined    Disabled      CCE-75
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Terminal Services          Not Defined    Manual        CCE-974
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Universal Plug and Play    Not Defined    Disabled      CCE-608
Configuration\Windows      Device Host
Settings\Security
Settings\System Services
Computer                   WebClient                  Not Defined    Disabled      CCE-305
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   Wireless Zero Configuration Not Defined   Disabled      CCE-604
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   WLAN AutoConfig           Disabled      (Not Applicable)   CCE-957
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   WMI Performance Adapter   Not Defined   Manual             CCE-745
Configuration\Windows
Settings\Security
Settings\System Services
Computer                   World Wide Web Publishing Not Defined   Disabled           CCE-758
Configuration\Windows      Service
Settings\Security
Settings\System Services
Vista CCE v5   XP CCE v5
Reference      Reference
CCE-2363-0     CCE-2928-0




CCE-3177-3     CCE-2986-8




CCE-2715-1     CCE-2466-1




CCE-4662-3     CCE-3188-0
CCE-4666-4   CCE-2708-6




CCE-3936-2   CCE-2803-5




CCE-4755-5   CCE-3063-5




CCE-4702-7   CCE-3208-6




CCE-2323-4   CCE-2994-2
CCE-2967-8   CCE-2920-7




CCE-3240-9   CCE-2439-8




CCE-2883-7   CCE-2981-9
CCE-3033-8   CCE-2735-9




CCE-3311-8   CCE-2889-4




CCE-3015-5   CCE-2904-1



CCE-3302-7   CCE-2693-0



CCE-3165-8   CCE-3006-4



CCE-3121-1   CCE-2116-2



CCE-2659-1   CCE-2794-6
CCE-2839-9         CCE-2345-7



(Not Applicable)   CCE-3019-7




(Not Applicable)   CCE-2966-0




(Not Applicable)   CCE-2050-3




CCE-2905-8         CCE-3014-8




CCE-3196-3         CCE-2336-6
CCE-2931-4         CCE-2777-1




(Not Applicable)   CCE-2784-7



(Not Applicable)   CCE-2220-2



(Not Applicable)   CCE-2833-2



(Not Applicable)   CCE-2175-8



(Not Applicable)   CCE-2052-9



(Not Applicable)   CCE-2184-0



(Not Applicable)   CCE-2312-7



(Not Applicable)   CCE-2726-8



(Not Applicable)   CCE-2699-7



(Not Applicable)   CCE-1909-1
(Not Applicable)   CCE-2145-1



(Not Applicable)   CCE-2436-4



(Not Applicable)   CCE-4952-8



(Not Applicable)   CCE-2178-2



(Not Applicable)   CCE-2672-4



(Not Applicable)   CCE-1916-6



(Not Applicable)   CCE-2855-5



(Not Applicable)   CCE-2894-4



(Not Applicable)   CCE-2899-3



(Not Applicable)   CCE-2546-0



(Not Applicable)   CCE-2674-0



(Not Applicable)   CCE-2176-6



(Not Applicable)   CCE-2198-0



(Not Applicable)   CCE-2788-8
(Not Applicable)   CCE-2797-9



(Not Applicable)   CCE-2731-8



(Not Applicable)   CCE-1937-2



CCE-2820-9,        CCE-2867-0,
CCE-3089-0         CCE-3008-0




CCE-3234-2,        CCE-2902-5,
CCE-3287-0         CCE-2906-6
CCE-3041-1,   CCE-2933-0,
CCE-3309-2    CCE-2206-1




CCE-3076-7,   CCE-2100-6,
CCE-2970-2    CCE-2343-2




CCE-2724-3,   CCE-2259-0,
CCE-3243-3    CCE-2766-4
CCE-2746-6,   CCE-2971-0,
CCE-2653-4    CCE-2759-9




CCE-2322-6,   CCE-2913-2,
CCE-3257-3    CCE-2918-1




CCE-3024-7,   CCE-2816-7,
CCE-2927-2    CCE-2939-7




CCE-2953-8,   CCE-2878-7,
CCE-3222-7    CCE-2843-1
CCE-3032-0   CCE-2943-9




CCE-3248-2   CCE-3040-3




CCE-2398-6   CCE-2344-0




CCE-2714-4   CCE-3135-1




CCE-2359-8   CCE-3025-4
CCE-3285-4   CCE-3162-5




CCE-3303-5   CCE-2955-3




CCE-3450-4   (Not Appliable




CCE-3001-5   CCE-2851-4
CCE-3371-2   CCE-3010-6




CCE-3266-4   CCE-2662-5




CCE-3326-6   CCE-3009-8




CCE-3225-0   CCE-3111-2
CCE-3325-8   CCE-2789-6




CCE-2858-9   CCE-2974-4




CCE-3168-2   CCE-2873-8
(Not Applicable)   CCE-3085-8




(Not Applicable)   CCE-2968-6




(Not Applicable)   CCE-2551-0




(Not Applicable)   CCE-3123-7
CCE-3330-8   CCE-3097-3




CCE-2467-9   CCE-2996-7




CCE-3233-4   CCE-3000-7




CCE-3255-7   CCE-2313-5
CCE-3075-9   CCE-3018-9




CCE-3212-8   CCE-3151-8




CCE-3173-2   CCE-2930-6




CCE-3307-6   CCE-2891-0
CCE-3336-5   CCE-2472-9




CCE-3314-2   CCE-2573-4




CCE-2376-2   CCE-3106-2




CCE-3230-0   CCE-2701-1
CCE-3220-1   CCE-3172-4




CCE-2772-2   CCE-3186-4




CCE-3251-6   CCE-3133-6




CCE-3252-4   CCE-3027-0




CCE-2380-4   CCE-2802-7




CCE-2838-1   CCE-3049-4
CCE-2519-7   CCE-3157-5




CCE-3023-9   CCE-3053-6




CCE-3164-1   CCE-2688-0




CCE-3361-3   CCE-2692-2




CCE-3072-6   CCE-2776-3




CCE-3261-5   CCE-3132-8




CCE-3120-3   CCE-2718-5




CCE-3239-1   CCE-2824-1
CCE-3949-5   CCE-3017-1




CCE-3067-6   CCE-2952-0




CCE-3142-7   CCE-2559-3




CCE-4904-9   CCE-3044-5




CCE-2719-3   CCE-2710-2




CCE-2785-4   CCE-3118-7
CCE-3244-1   CCE-2683-1




CCE-3279-7   CCE-2652-6




CCE-3199-7   CCE-2841-5




CCE-3050-2   CCE-2980-1




CCE-2679-9   CCE-2916-5




CCE-3459-5   CCE-2213-7




CCE-3460-3   CCE-2239-2




CCE-3181-5   CCE-3061-9
CCE-2339-0   CCE-2973-6




CCE-3272-2   CCE-2147-7




CCE-3232-6   CCE-2804-3




CCE-3379-5   CCE-3088-2




CCE-2457-0   CCE-3110-4
CCE-3380-3   CCE-3150-0




CCE-2825-8   (Not Applicable)




CCE-4781-1   CCE-3155-9




CCE-3292-0   CCE-2834-0




CCE-3349-8   CCE-3036-1
CCE-3367-0   CCE-3058-5




CCE-3138-5   CCE-2993-4




CCE-3283-9   CCE-3139-3




CCE-4922-1   CCE-2926-4
CCE-4940-3   CCE-2991-8




CCE-4583-1   CCE-3156-7




CCE-4213-5   CCE-2799-5




CCE-4107-9   CCE-2935-5




CCE-3953-7   CCE-2957-9
CCE-3954-5         CCE-2983-5




CCE-3969-3         CCE-3128-6




(Not Applicable)   CCE-2992-6




CCE-4774-6         CCE-3084-1




(Not Applicable)   CCE-2842-3
CCE-4841-3         CCE-2987-6




CCE-4011-3         CCE-3005-6




(Not Applicable)   CCE-2705-2




(Not Applicable)   CCE-2723-5




CCE-4955-1         (Not Applicable)
CCE-4016-2   (Not Applicable)




CCE-4969-2   (Not Applicable)




CCE-4612-8   (Not Applicable)
CCE-5004-7   (Not Applicable)




CCE-4020-4   (Not Applicable)




CCE-4907-2   (Not Applicable)




CCE-4925-4   (Not Applicable)
CCE-4194-7         (Not Applicable)




(Not Applicable)   (Not Applicable)




CCE-4334-9         CCE-2379-6
CCE-4088-1         CCE-2167-5




(Not Applicable)   CCE-2374-7




CCE-4854-6         CCE-2547-8




CCE-4872-8         CCE-2829-0




CCE-4264-8         CCE-3004-9




CCE-4827-2         CCE-2299-6
CCE-4973-4   CCE-2806-8




CCE-4863-7   CCE-2846-4




CCE-5008-8   (Not Applicable)




CCE-4757-1   CCE-2786-2




CCE-4902-3   CCE-2791-2




CCE-4792-8   CCE-3107-0




CCE-4184-8   CCE-1969-5




CCE-4294-5   (Not Applicable)
CCE-4687-0         CCE-2864-7




CCE-4704-3         CCE-1978-6




CCE-4722-5         CCE-2898-5




CCE-4867-8         CCE-2792-0




CCE-4889-2         CCE-2700-3




CCE-4656-5         CCE-2814-2




(Not Applicable)   CCE-2982-7
CCE-4673-0   CCE-2886-0




CCE-4488-3   CCE-2767-2




CCE-4382-8   CCE-2737-5




CCE-4651-6   (Not Applicable)




CCE-4796-9   CCE-2944-7




CCE-4034-5   CCE-2446-3




CCE-4317-4   CCE-2609-6




CCE-4083-2   CCE-2882-9




CCE-4038-6   CCE-2948-8
CCE-4872-8   CCE-2829-0




CCE-4046-9   CCE-2247-5




CCE-4285-3   (Not Applicable)




CCE-4048-5   CCE-2657-5




CCE-4071-7   CCE-2960-3




CCE-4962-7   CCE-2807-6




CCE-4618-5   CCE-2675-7




CCE-4861-1   CCE-2335-8




CCE-4372-9   CCE-2860-5
CCE-4948-6         CCE-2847-2




CCE-4569-0         CCE-2366-3




CCE-4970-0         CCE-2810-0




CCE-4988-2         CCE-2021-4




(Not Applicable)   CCE-3034-6



(Not Applicable)   CCE-2818-3



(Not Applicable)   CCE-2713-6



(Not Applicable)   CCE-2880-3



(Not Applicable)   CCE-3236-7



(Not Applicable)   CCE-2950-4



(Not Applicable)   CCE-2849-8



(Not Applicable)   CCE-2888-6
(Not Applicable)   CCE-2910-8



CCE-3316-7         CCE-2915-7



CCE-3082-5         CCE-2896-9



(Not Applicable)   CCE-3131-0



(Not Applicable)   CCE-3122-9



(Not Applicable)   CCE-3104-7



(Not Applicable)   CCE-3035-3



(Not Applicable)   CCE-2661-7



(Not Applicable)   CCE-2934-8



(Not Applicable)   CCE-2326-7



(Not Applicable)   CCE-3043-7



(Not Applicable)   CCE-3048-6



(Not Applicable)   CCE-3291-2



(Not Applicable)   CCE-2494-3
CCE-4627-6         (Not Applicable)



(Not Applicable)   CCE-3265-6



(Not Applicable)   CCE-2942-1
Policy Path                    Policy Setting Name         FDCC Windows   FDCC Windows       CCE         Registry Setting                                  Description
                                                           Vista          XP                 Reference
Computer                     Turn on Mapper I/O            Disabled       (Not Applicable)   CCE-947     HKLM\Software\Policies\Microsoft\Window           This policy setting turns on the Mapper I/O network protocol driver.
Configuration\Administrative (LLTDIO) driver                                                             s\LLTD!EnableLLTDIO,                              LLTDIO allows a computer to discover the topology of a network it's
                                                                                                                                                           connected to. It also allows a computer to initiate Quality-of-Service requests
Templates\Network\Link-                                                                                  HKLM\Software\Policies\Microsoft\Window           such as bandwidth estimation and network health analysis. If you enable this
Layer Topology Discovery                                                                                 s\LLTD!AllowLLTDIOOnDomain,                       policy setting, additional options are available to fine-tune your selection. You
                                                                                                         HKLM\Software\Policies\Microsoft\Window           may choose the "Allow operation while in domain" option to allow LLTDIO to
                                                                                                         s\LLTD!AllowLLTDIOOnPublicNet,                    operate on a network interface that's connected to a managed network. On
                                                                                                         HKLM\Software\Policies\Microsoft\Window           the other hand, if a network interface is connected to an unmanaged network,
                                                                                                                                                           you may choose the "Allow operation while in public network" and "Prohibit
                                                                                                         s\LLTD!ProhibitLLTDIOOnPrivateNet                 operation while in private network" options instead.
                                                                                                                                                           If you disable this policy setting, LLTDIO will not participate in any of the
                                                                                                                                                           activities described above. If you do not configure this policy setting, LLTDIO
                                                                                                                                                           will be enabled with all options turned on at all times.


Computer                     Turn on Responder             Disabled       (Not Applicable)   CCE-1134    HKLM\Software\Policies\Microsoft\Window           This policy setting turns on the Responder network protocol driver.
Configuration\Administrative (RSPNDR) driver                                                             s\LLTD!EnableRspndr,                              The Responder allows a computer to participate in Link Layer Topology
                                                                                                                                                           Discovery requests so that it can be discovered and located on the network. It
Templates\Network\Link-                                                                                  HKLM\Software\Policies\Microsoft\Window           also allows a computer to participate in Quality-of-Service activities such as
Layer Topology Discovery                                                                                 s\LLTD!AllowRspndrOnDomain,                       bandwidth estimation and network health analysis. If you enable this policy
                                                                                                         HKLM\Software\Policies\Microsoft\Window           setting, additional options are available to fine-tune your selection. You may
                                                                                                         s\LLTD!AllowRspndrOnPublicNet,                    choose the "Allow operation while in domain" option to allow the Responder to
                                                                                                         HKLM\Software\Policies\Microsoft\Window           operate on a network interface that's connected to a managed network. On
                                                                                                                                                           the other hand, if a network interface is connected to an unmanaged network,
                                                                                                         s\LLTD!ProhibitRspndrOnPrivateNet                 you may choose the "Allow operation while in public network" and "Prohibit
                                                                                                                                                           operation while in private network" options instead.
                                                                                                                                                           If you disable this policy setting, the Responder will not participate in any of
                                                                                                                                                           the activities described above.
                                                                                                                                                           If you do not configure this policy setting, the Responder will be enabled with
                                                                                                                                                           all options turned on at all times.




Computer                     Turn Off Microsoft Peer-to-   Enabled        Enabled            CCE-86      HKLM\Software\policies\Microsoft\Peernet! This setting turns off Microsoft Peer-to-Peer Networking Services in its
Configuration\Administrative Peer Networking Services                                                    Disabled                                  entirety, and will cause all dependent applications to stop working.
                                                                                                                                                           Peer-to-Peer protocols allow for applications in the areas of RTC,
Templates\Network\Microsof                                                                                                                                 collaboration, content distribution and distributed processing.
t Peer-to-Peer Networking                                                                                                                                  If you enable this setting, peer-to-peer protocols will be turned off.
Services                                                                                                                                                   If you disable this setting or do not configure it, peer-to-peer protocols will be
                                                                                                                                                           turned on.


Computer                       Prohibit installation and Enabled          Enabled            CCE-896     HKLM\Software\Policies\Microsoft\Window           Determines whether a user can install and configure the Network Bridge.
Configuration\Administrative   configuration of Network                                                  s\Network                                         Important: This settings is location aware. It only applies when a computer is
                                                                                                                                                           connected to the same DNS domain network it was connected to when the
Templates\Network\Network      Bridge on your DNS domain                                                 Connections!NC_AllowNetBridge_NLA                 setting was refreshed on that computer. If a computer is connected to a DNS
Connections                    network                                                                                                                     domain network other than the one it was connected to when the setting was
                                                                                                                                                           refreshed, this setting does not apply. The Network Bridge allows users to
                                                                                                                                                           create a layer 2 MAC bridge, enabling them to connect two or more network
                                                                                                                                                           segements together. This connection appears in the Network Connections
                                                                                                                                                           folder. If you disable this setting or do not configure it, the user will be able to
                                                                                                                                                           create and modify the configuration of a Network Bridge. Enabling this setting
                                                                                                                                                           does not remove an existing Network Bridge from the user's computer.
Computer                     Prohibit use of Internet    Enabled             Enabled    CCE-241   HKLM\Software\Policies\Microsoft\Window     Prohibits use of Internet Connection Firewall on your DNS domain network.
Configuration\Administrative Connection Firewall on your                                          s\Network                                   Determines whether users can enable the Internet Connection Firewall
                                                                                                                                              feature on a connection, and if the Internet Connection Firewall service can
Templates\Network\Network DNS domain network                                                      Connections!NC_PersonalFirewallConfig       run on a computer. Important: This setting is location aware. It only applies
Connections                                                                                                                                   when a computer is connected to the same DNS domain network it was
                                                                                                                                              connected to when the setting was refreshed on that computer. If a computer
                                                                                                                                              is connected to a DNS domain network other than the one it was connected
                                                                                                                                              to when the setting was refreshed, this setting does not apply. The Internet
                                                                                                                                              Connection Firewall is a stateful packet filter for home and small office users
                                                                                                                                              to protect them from Internet network security threats. If you enable this
                                                                                                                                              setting, Internet Connection Firewall cannot be enabled or configured by
                                                                                                                                              users (including administrators), and the Internet Connection Firewall service
                                                                                                                                              cannot run on the computer. The option to enable the Internet Connection
                                                                                                                                              Firewall through the Advanced tab is removed. In addition, the Internet
                                                                                                                                              Connection Firewall is not enabled for remote access connections created
                                                                                                                                              through the Make New Connection Wizard. The Network Setup Wizard is
                                                                                                                                              disabled.
                                                                                                                                              Note: If you enable the "Windows Firewall: Protect all network connections"
                                                                                                                                              policy setting, the "Prohibit use of Internet Connection Firewall on your DNS
                                                                                                                                              domain network" policy setting has no effect on computers that are running
Computer                     Prohibit use of Internet   Enabled              Enabled    CCE-672   HKLM\Software\Policies\Microsoft\Window     Windows Firewall, which replaces Internet Connection Firewall when you
                                                                                                                                              Determines whether administrators can enable and configure the Internet
Configuration\Administrative Connection Sharing on your                                           s\Network                                   Connection Sharing (ICS) feature of an Internet connection and if the ICS
                                                                                                                                              service can run on the computer. Important: This setting is location aware. It
Templates\Network\Network DNS domain network                                                      Connections!NC_ShowSharedAccessUI           only applies when a computer is connected to the same DNS domain network
Connections                                                                                                                                   it was connected to when the setting was refreshed on that computer. If a
                                                                                                                                              computer is connected to a DNS domain network other than the one it was
                                                                                                                                              connected to when the setting was refreshed, this setting does not apply. ICS
                                                                                                                                              lets administrators configure their system as an Internet gateway for a small
                                                                                                                                              network and provides network services, such as name resolution and
                                                                                                                                              addressing through DHCP, to the local private network. If you enable this
                                                                                                                                              setting, ICS cannot be enabled or configured by administrators, and the ICS
                                                                                                                                              service cannot run on the computer. The Advanced tab in the Properties
                                                                                                                                              dialog box for a LAN or remote access connection is removed. The Internet
                                                                                                                                              Connection Sharing page is removed from the New Connection Wizard. The
                                                                                                                                              Network Setup Wizard is disabled. If you disable this setting or do not
                                                                                                                                              configure it and have two or more connections, administrators can enable
                                                                                                                                              ICS. The Advanced tab in the properties dialog box for a LAN or remote
                                                                                                                                              access connection is available. In addition, the user is presented with the
                                                                                                                                              option to enable Internet Connection Sharing in the Network Setup Wizard
                                                                                                                                              and Make New Connection Wizard. (The Network Setup Wizard is available
                                                                                                                                              only in Windows XP Professional.) By default, ICS is disabled when you
Computer                     Windows Firewall: Allow file (Not Applicable)   Disabled   CCE-555   HKLM\SOFTWARE\Policies\Microsoft\Win        The Windows Firewall: Allow file andbut administrators can use the Advanced
                                                                                                                                              create a remote access connection, print sharing exception setting specifies
Configuration\Administrative and printer sharing exception                                        dowsFirewall\DomainProfile\Services\FileA   whether the ports for file and printer sharing are open.
                                                                                                                                              Default: Not Configured (default) means the ports for file and printer sharing
Templates\Network\Network                                                                         ndPrint!Enabled,                            are not opened. The shared files and printers on the computer will not be
Connections\Windows                                                                               HKLM\SOFTWARE\Policies\Microsoft\Win        available from other computers.
Firewall\Domain Profile                                                                           dowsFirewall\DomainProfile\Services\FileA   However, local administrators can configure the pre-defined File and Printer
                                                                                                  ndPrint!RemoteAddresses                     Sharing exception, such as from the Exceptions tab of the Windows Firewall
                                                                                                                                              component in Control Panel.
                                                                                                                                              When Enabled, the following ports for file and printer sharing are opened:
                                                                                                                                              -UDP 137
                                                                                                                                              -UDP 138
                                                                                                                                              -TCP 139
                                                                                                                                              -TCP 445
                                                                                                                                              Note: When you enable the pre-defined File and Printer Sharing exception,
                                                                                                                                              Windows Firewall also allows incoming ICMP Echo messages.
Computer                     Windows Firewall: Allow    (Not Applicable)   Enabled: Allow       CCE-277    ################################## The Windows Firewall: Allow ICMP exceptions setting allows you to configure
Configuration\Administrative ICMP exceptions                               inbound echo                                                                 specific types of ICMP messages as excepted traffic.
                                                                                                                                                        Default: Not Configured, which means Local administrators can define ICMP
Templates\Network\Network                                                  requests                                                                     exceptions, such as from the Advanced tab of the Windows Firewall
Connections\Windows                                                                                                                                     component in Control Panel. When Enabled, the specified unsolicited
Firewall\Domain Profile                                                                                                                                 incoming ICMP traffic is allowed. When you select Enabled, you must also
                                                                                                                                                        specify the specific types of ICMP messages that are allowed. Selecting
                                                                                                                                                        Enabled overrides the local ICMP settings of Windows Firewall. When you
                                                                                                                                                        select Disabled, no unsolicited incoming ICMP traffic is allowed. Local
                                                                                                                                                        administrators cannot define ICMP exceptions. If you do not enable this
                                                                                                                                                        setting and select Allow inbound echo request, tools that use the ICMP Echo
                                                                                                                                                        message (also known as the ICMP Echo Request message) such as Ping or
                                                                                                                                                        Tracert will not work. If you are running network management software uses
                                                                                                                                                        ICMP Destination Unreachable messages, also select Allow outbound
                                                                                                                                                        destination unreachable.
                                                                                                                                                        If any policy setting opens TCP port 445, Windows Firewall automatically
                                                                                                                                                        allows incoming ICMP Echo messages, even if the Windows Firewall: Allow
                                                                                                                                                        ICMP exceptions setting is disabled. Policy settings that can open TCP port
                                                                                                                                                        445 include Windows Firewall: Allow file and printer sharing exception,
Computer                     Windows Firewall: Allow    (Not Applicable)   Disabled             CCE-370    HKLM\SOFTWARE\Policies\Microsoft\Win         Windows Firewall: Allow remote administration exception, allows you to
                                                                                                                                                        The Windows Firewall: Allow local port exceptions setting and Windows
Configuration\Administrative local port exceptions                                                         dowsFirewall\DomainProfile\GloballyOpenP     specify whether local administrators are allowed to configure their own port
                                                                                                                                                        exceptions.
Templates\Network\Network                                                                                  orts!AllowUserPrefMerge                      You can select the following:
Connections\Windows                                                                                                                                     Default: Local administrators cannot add port exceptions setting unless the
Firewall\Domain Profile                                                                                                                                 Windows Firewall: Define port exceptions setting is set to Not Configured. If
                                                                                                                                                        the Windows Firewall: Define port exceptions setting is set to Enabled or
                                                                                                                                                        Disabled, local administrators cannot define a local port exceptions list.
                                                                                                                                                        -Enabled: Local administrators can add port exceptions.
                                                                                                                                                        -Disabled: Local administrators cannot add port exceptions.


Computer                     Windows Firewall: Allow    (Not Applicable)   Disabled             CCE-502    HKLM\SOFTWARE\Policies\Microsoft\Win         The Windows Firewall: Allow local program exceptions setting allows you to
Configuration\Administrative local program exceptions                                                      dowsFirewall\DomainProfile\AuthorizedAppl    specify whether local administrators are allowed to configure their own
                                                                                                                                                        program exceptions.
Templates\Network\Network                                                                                  ications!AllowUserPrefMerge                  Default: Not Configured. If the Windows Firewall: Define program exceptions
Connections\Windows                                                                                                                                     setting is set to Not Configured, local administrators can add program
Firewall\Domain Profile                                                                                                                                 exceptions locally, such as from the Exceptions tab of the Windows Firewall
                                                                                                                                                        component in Control Panel.
                                                                                                                                                        - Enabled: Local administrators can add program exceptions.
                                                                                                                                                        - Disabled: Local administrators cannot add program exceptions.

Computer                     Windows Firewall: Allow    (Not Applicable)   Enabled: Log         CCE-251,   ################################## The Windows Firewall: Allow logging setting specifies whether the Windows
Configuration\Administrative logging                                       dropped              CCE-617,                                                Firewall logs activity information to a log file.
                                                                                                                                                        Default: Not Configured. Logging is not enabled.
Templates\Network\Network                                                  packets,Log          CCE-793,                                                - Enabled: Logging is enabled with the specified log file settings.
Connections\Windows                                                        successful           CCE-57                                                  - Disabled: Logging is not enabled. Local administrators cannot enable
Firewall\Domain Profile                                                    connections,Log                                                              logging, such as from the Advanced tab of the Windows Firewall component
                                                                           file path and                                                                in Control Panel.
                                                                           name:%systemroo                                                              If enabled, you must provide the name, location, and maximum size of the log
                                                                                                                                                        file (up to a maximum size of 32767 KB). When the log file becomes full, it is
                                                                           t%\domainfw.log,si                                                           archived and a new file is created. The location can contain environment
                                                                           ze limit:16384                                                               variables, such as %SystemRoot%. You can also separately specify whether
                                                                                                                                                        you want to log the following:
                                                                                                                                                        -Dropped packets, which correspond to incoming unsolicited traffic that was
                                                                                                                                                        not excepted.
                                                                                                                                                        -Successful connections, which correspond to successful incoming and
                                                                                                                                                        outgoing connections.
                                                                                                                                                        There is no option to log incoming packets (solicited or unsolicited) that were
                                                                                                                                                        not dropped.
Computer                     Windows Firewall: Allow    (Not Applicable)   Enabled   CCE-771   HKLM\SOFTWARE\Policies\Microsoft\Win      The Windows Firewall: Allow remote administration exception setting allows
Configuration\Administrative remote administration                                             dowsFirewall\DomainProfile\RemoteAdmin    you to specify whether computers running Windows XP with SP2 can be
                                                                                                                                         remotely administered by applications that use TCP ports 135 and 445 (such
Templates\Network\Network exception                                                            Settings!Enabled,                         as MMC and WMI). Services that use these ports to communicate are using
Connections\Windows                                                                            HKLM\SOFTWARE\Policies\Microsoft\Win      remote procedure calls (RPC) and Distributed Component Object Model
Firewall\Domain Profile                                                                        dowsFirewall\DomainProfile\RemoteAdmin    (DCOM) to access remote hosts. In effect, Windows Firewall adds
                                                                                               Settings!RemoteAddresses                  Svchost.exe and Lsass.exe to the program exceptions list and allows those
                                                                                                                                         services to open additional, dynamically assigned ports, typically in the range
                                                                                                                                         of 1024 to 1034. Windows Firewall also allows incoming ICMP Echo
                                                                                                                                         messages (also known as the ICMP Echo Request messages).
                                                                                                                                         Default: Remote administration is not allowed.
                                                                                                                                         - Enabled: Windows Firewall allows the computer to receive the unsolicited
                                                                                                                                         incoming messages associated with remote administration. In Allow
                                                                                                                                         unsolicited incoming messages from, type * to specify traffic originating from
                                                                                                                                         any source IPv4 address or a comma-separated list of sources. The sources
                                                                                                                                         can be LocalSubnet to specify traffic originating from a directly reachable IPv4
                                                                                                                                         address or one or more IPv4 addresses or IPv4 address ranges separated by
                                                                                                                                         commas.
                                                                                                                                         -Disabled: Remote administration is not allowed. Windows Firewall blocks
                                                                                                                                         port 135 and does not open 445. Also, in effect, it adds SVCHOST.EXE and
                                                                                                                                         LSASS.EXE to the program exceptions list with the Status of Disabled.
                                                                                                                                         Because disabling this policy setting does not block TCP port 445, it does not
                                                                                                                                         conflict with the Windows Firewall: Allow file and printer sharing exception
                                                                                                                                         The Windows Firewall: Allow Remote Desktop from running or their
                                                                                                                                         setting. This does not prevent these programs exception setting allows you to
Computer                     Windows Firewall: Allow    (Not Applicable)   Enabled   CCE-832   HKLM\SOFTWARE\Policies\Microsoft\Win
Configuration\Administrative Remote Desktop exception                                          dowsFirewall\DomainProfile\Services\Rem   specify whether Remote Desktop connections are allowed
                                                                                                                                         Default: Remote Desktop connections are not allowed. However, local
Templates\Network\Network                                                                      oteDesktop!Enabled,                       administrators can configure the pre-defined Remote Desktop exception,
Connections\Windows                                                                            HKLM\SOFTWARE\Policies\Microsoft\Win      such as from the Exceptions tab of the Windows Firewall component in
Firewall\Domain Profile                                                                        dowsFirewall\DomainProfile\Services\Rem   Control Panel.Enabled: Remote Desktop connections are allowed. TCP port
                                                                                               oteDesktop!RemoteAddresses                3389 is opened. In Allow unsolicited incoming messages from, type * to
                                                                                                                                         specify Remote Desktop traffic originating from any source IPv4 address or a
                                                                                                                                         comma separated list of sources. The sources can be LocalSubnet to specify
                                                                                                                                         traffic originating from a directly reachable IPv4 address or one or more IPv4
                                                                                                                                         addresses or IPv4 address ranges separated by commas. IPv4 address
                                                                                                                                         ranges typically correspond to subnets. For IPv4 addresses, type the IPv4
                                                                                                                                         address in dotted decimal notation. For IPv4 address ranges, you can specify
                                                                                                                                         the range using a dotted decimal subnet mask or a prefix length. When you
                                                                                                                                         use a dotted decimal subnet mask, you can specify the range as an IPv4
                                                                                                                                         network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address
                                                                                                                                         within the range (such as 10.47.81.231/255.255.255.0). When you use a
                                                                                                                                         network prefix length, you can specify the range as an IPv4 network ID (such
                                                                                                                                         as 10.47.81.0/24) or by using an IPv4 address within the range (such as
                                                                                                                                         10.47.81.231/24). The following is an example list of sources:
                                                                                                                                         LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0
                                                                                                                                         ,172.16.31.11/24,172.16.111.0/24
                                                                                                                                         IPv6 traffic supports the * and LocalSubnet scopes.
Computer                     Windows Firewall: Allow        (Not Applicable)   Disabled   CCE-590   HKLM\SOFTWARE\Policies\Microsoft\Win            The Windows Firewall: Allow UPnP framework exception setting specifies
Configuration\Administrative UPnP framework exception                                               dowsFirewall\DomainProfile\Services\UPnP        whether the ports for UPnP traffic are open
                                                                                                                                                    Default: The ports for UPnP traffic are not opened, which prevents the
Templates\Network\Network                                                                           Framework!Enabled,                              computer from receiving UPnP messages. However, local administrators can
Connections\Windows                                                                                 HKLM\SOFTWARE\Policies\Microsoft\Win            configure the pre-defined UPnP Framework exception, such as from the
Firewall\Domain Profile                                                                             dowsFirewall\DomainProfile\Services\UPnP        Exceptions tab of the Windows Firewall component in Control Panel.
                                                                                                    Framework!RemoteAddresses                       -Enabled: The following ports for UPnP traffic are opened:
                                                                                                                                                      -UDP 1900, -TCP 2869
                                                                                                                                                    In Allow unsolicited incoming messages from, type * to specify UPnP traffic
                                                                                                                                                    originating from any source IPv4 address or a comma separated list of
                                                                                                                                                    sources.
                                                                                                                                                    -Disabled: The ports for UPnP traffic are not opened, which prevents the
                                                                                                                                                    computer from receiving unsolicited incoming UPnP messages. Local
                                                                                                                                                    administrators cannot configure the pre-defined UPnP Framework exception.
                                                                                                                                                    Note If you only want to open a subset of the ports that this setting opens,
                                                                                                                                                    leave this setting set to Not Configured and use the Windows Firewall: Define
                                                                                                                                                    port exceptions setting to selectively open ports




Computer                     Windows Firewall: Prohibit     (Not Applicable)   Enabled    CCE-762   HKLM\SOFTWARE\Policies\Microsoft\Win            The Windows Firewall: Prohibit notifications setting specifies whether the
Configuration\Administrative notifications                                                          dowsFirewall\DomainProfile!DisableNotifica      Windows Firewall displays notification messages when applications listen on
                                                                                                                                                    a port.
Templates\Network\Network                                                                           tions                                           Default: The notification messages are displayed. However, local
Connections\Windows                                                                                                                                 administrators can configure notification behavior, such as the Notify when
Firewall\Domain Profile                                                                                                                             Windows Firewall blocks a program option from the Exceptions tab of the
                                                                                                                                                    Windows Firewall component in Control Panel.
                                                                                                                                                    -Enabled: The notification messages are not displayed.
                                                                                                                                                    -Disabled: The notification messages are displayed. Local administrators
                                                                                                                                                    cannot configure notification behavior. When most applications request an
                                                                                                                                                    open port, Windows Firewall adds the program to the program exceptions list
                                                                                                                                                    with the default status value of Disabled. If you enable this policy setting,
                                                                                                                                                    notifications are not displayed and the status value for the program exception
                                                                                                                                                    remains Disabled until manually changed. f you disable or do not configure
                                                                                                                                                    this policy setting, Windows Firewall displays notification messages. If the
                                                                                                                                                    user is not a local administrator, the message informs them that they might
                                                                                                                                                    need to contact a network administrator, which can alert the network
                                                                                                                                                    administrator about possible malicious programs on the network. If the user
                                                                                                                                                    is a local administrator, and either you have enabled the Windows Firewall:
                                                                                                                                                    Allow local program exceptions setting or you have not configured the
                                                                                                                                                    Windows Firewall: Define program exceptions setting, then the notification
Computer                       Windows Firewall: Prohibit   (Not Applicable)   Enabled    CCE-696   HKLM\SOFTWARE\Policies\Microsoft\Win            message allows the user to specify whether to enable the application. If you
                                                                                                                                                    The Windows Firewall: Prohibit unicast response to multicast or broadcast
Configuration\Administrative   unicast response to                                                  dowsFirewall\DomainProfile!DisableUnicast requests setting specifies whether unicast response message received in
                                                                                                                                              response to a multicast or broadcast message that was sent by the computer
Templates\Network\Network      multicast or broadcast                                               ResponsesToMulticastBroadcast             is dropped
Connections\Windows            requests                                                                                                             Default: Disabled. The received unicast response is accepted (not dropped)
Firewall\Domain Profile                                                                                                                             if received within 3 seconds. The difference between the Not Configured and
                                                                                                                                                    Disabled settings is based on Group Policy inheritance rules.
                                                                                                                                                    -Enabled: The unicast response to a multicast or broadcast packet sent by
                                                                                                                                                    the computer is dropped.
                                                                                                                                                    This setting has no effect if the unicast message is a response to a DHCP
                                                                                                                                                    broadcast message sent by the computer. Windows Firewall always permits
                                                                                                                                                    DHCP unicast responses. However, this policy setting can interfere with the
                                                                                                                                                    unique NetBIOS name conflict detection process, in which a broadcast-based
                                                                                                                                                    NetBIOS message is sent to register a NetBIOS unique name. If another
                                                                                                                                                    computer on the network is using that same name, there is a name conflict
                                                                                                                                                    and the current name owner sends a unicast NetBIOS Negative Name
                                                                                                                                                    Registration Reply message. If the Windows Firewall drops this message,
                                                                                                                                                    then the computer continues to use the duplicate name. If the computers are
                                                                                                                                                    using Windows Internet Name Service (WINS), then the duplicate name is
                                                                                                                                                    detected via the WINS server.
Computer                     Windows Firewall: Protect all (Not Applicable)   Enabled    CCE-806   HKLM\SOFTWARE\Policies\Microsoft\Win Default: No change to the status of Windows Firewall is made to any of the
Configuration\Administrative network connections                                                   dowsFirewall\DomainProfile!EnableFirewall local connections. Local administrators may enable or disable Windows
                                                                                                                                                 Firewall locally, such as from the General tab of the Windows Firewall
Templates\Network\Network                                                                                                                        component in Control Panel.. The Windows Firewall runs unless you enable
Connections\Windows                                                                                                                              the Prohibit use of Internet Connection Firewall on your DNS domain network
Firewall\Domain Profile                                                                                                                          Group Policy setting.
                                                                                                                                                 -Enabled: Windows Firewall is enabled to protect all network connections
                                                                                                                                                 and local administrators cannot enable or disable Windows Firewall locally.
                                                                                                                                                 The Prohibit use of Internet Connection Firewall on your DNS domain network
                                                                                                                                                 Group Policy setting is ignored.
                                                                                                                                                 -Disabled: Disables Windows Firewall. Local administrators cannot enable
                                                                                                                                                 the Windows Firewall.

Computer                     Windows Firewall: Allow file (Not Applicable)    Disabled   CCE-626   HKLM\SOFTWARE\Policies\Microsoft\Win          The Windows Firewall: Allow file and print sharing exception setting specifies
Configuration\Administrative and printer sharing exception                                         dowsFirewall\StandardProfile\Services\File    whether the ports for file and printer sharing are open.
                                                                                                                                                 Default: Not Configured (default) means the ports for file and printer sharing
Templates\Network\Network                                                                          AndPrint!Enabled,                             are not opened. The shared files and printers on the computer will not be
Connections\Windows                                                                                HKLM\SOFTWARE\Policies\Microsoft\Win          available from other computers.
Firewall\Standard Profile                                                                          dowsFirewall\StandardProfile\Services\File    However, local administrators can configure the pre-defined File and Printer
                                                                                                   AndPrint!RemoteAddresses                      Sharing exception, such as from the Exceptions tab of the Windows Firewall
                                                                                                                                                 component in Control Panel.
                                                                                                                                                 When Enabled, the following ports for file and printer sharing are opened:
                                                                                                                                                 -UDP 137
                                                                                                                                                 -UDP 138
                                                                                                                                                 -TCP 139
                                                                                                                                                 -TCP 445
                                                                                                                                                 Note: When you enable the pre-defined File and Printer Sharing exception,
                                                                                                                                                 Windows Firewall also allows incoming ICMP Echo messages.




Computer                     Windows Firewall: Allow       (Not Applicable)   Disabled   CCE-797   ################################## The Windows Firewall: Allow ICMP exceptions setting allows you to configure
Configuration\Administrative ICMP exceptions                                                                                                     specific types of ICMP messages as excepted traffic.
                                                                                                                                                 Default: Not Configured, which means Local administrators can define ICMP
Templates\Network\Network                                                                                                                        exceptions, such as from the Advanced tab of the Windows Firewall
Connections\Windows                                                                                                                              component in Control Panel. When Enabled, the specified unsolicited
Firewall\Standard Profile                                                                                                                        incoming ICMP traffic is allowed. When you select Enabled, you must also
                                                                                                                                                 specify the specific types of ICMP messages that are allowed. Selecting
                                                                                                                                                 Enabled overrides the local ICMP settings of Windows Firewall. When you
                                                                                                                                                 select Disabled, no unsolicited incoming ICMP traffic is allowed. Local
                                                                                                                                                 administrators cannot define ICMP exceptions. If you do not enable this
                                                                                                                                                 setting and select Allow inbound echo request, tools that use the ICMP Echo
                                                                                                                                                 message (also known as the ICMP Echo Request message) such as Ping or
                                                                                                                                                 Tracert will not work. If you are running network management software uses
                                                                                                                                                 ICMP Destination Unreachable messages, also select Allow outbound
                                                                                                                                                 destination unreachable.
                                                                                                                                                 If any policy setting opens TCP port 445, Windows Firewall automatically
                                                                                                                                                 allows incoming ICMP Echo messages, even if the Windows Firewall: Allow
                                                                                                                                                 ICMP exceptions setting is disabled. Policy settings that can open TCP port
                                                                                                                                                 445 include Windows Firewall: Allow file and printer sharing exception,
Computer                     Windows Firewall: Allow       (Not Applicable)   Disabled   CCE-77    HKLM\SOFTWARE\Policies\Microsoft\Win          Windows Firewall: Allow remote administration exception, allows you to
                                                                                                                                                 The Windows Firewall: Allow local port exceptions setting and Windows
Configuration\Administrative local port exceptions                                                 dowsFirewall\StandardProfile\GloballyOpen     specify whether local administrators are allowed to configure their own port
                                                                                                                                                 exceptions.
Templates\Network\Network                                                                          Ports!AllowUserPrefMerge                      You can select the following:
Connections\Windows                                                                                                                              Default: Local administrators cannot add port exceptions setting unless the
Firewall\Standard Profile                                                                                                                        Windows Firewall: Define port exceptions setting is set to Not Configured. If
                                                                                                                                                 the Windows Firewall: Define port exceptions setting is set to Enabled or
                                                                                                                                                 Disabled, local administrators cannot define a local port exceptions list.
                                                                                                                                                 -Enabled: Local administrators can add port exceptions.
                                                                                                                                                 -Disabled: Local administrators cannot add port exceptions.
Computer                     Windows Firewall: Allow    (Not Applicable)   Disabled   CCE-352   HKLM\SOFTWARE\Policies\Microsoft\Win        The Windows Firewall: Allow local program exceptions setting allows you to
Configuration\Administrative local program exceptions                                           dowsFirewall\StandardProfile\AuthorizedAp   specify whether local administrators are allowed to configure their own
                                                                                                                                            program exceptions.
Templates\Network\Network                                                                       plications!AllowUserPrefMerge               Default: Not Configured. If the Windows Firewall: Define program exceptions
Connections\Windows                                                                                                                         setting is set to Not Configured, local administrators can add program
Firewall\Standard Profile                                                                                                                   exceptions locally, such as from the Exceptions tab of the Windows Firewall
                                                                                                                                            component in Control Panel.
                                                                                                                                            - Enabled: Local administrators can add program exceptions.
                                                                                                                                            - Disabled: Local administrators cannot add program exceptions.

Computer                     Windows Firewall: Allow    (Not Applicable)   Disabled   CCE-467   HKLM\SOFTWARE\Policies\Microsoft\Win        The Windows Firewall: Allow logging setting specifies whether the Windows
Configuration\Administrative Remote Administration                                              dowsFirewall\StandardProfile\RemoteAdmi     Firewall logs activity information to a log file.
                                                                                                                                            Default: Not Configured. Logging is not enabled.
Templates\Network\Network Exception                                                             nSettings!Enabled,                          - Enabled: Logging is enabled with the specified log file settings.
Connections\Windows                                                                             HKLM\SOFTWARE\Policies\Microsoft\Win        - Disabled: Logging is not enabled. Local administrators cannot enable
Firewall\Standard Profile                                                                       dowsFirewall\StandardProfile\RemoteAdmi     logging, such as from the Advanced tab of the Windows Firewall component
                                                                                                nSettings!RemoteAddresses                   in Control Panel.
                                                                                                                                            If enabled, you must provide the name, location, and maximum size of the log
                                                                                                                                            file (up to a maximum size of 32767 KB). When the log file becomes full, it is
                                                                                                                                            archived and a new file is created. The location can contain environment
                                                                                                                                            variables, such as %SystemRoot%. You can also separately specify whether
                                                                                                                                            you want to log the following:
                                                                                                                                            -Dropped packets, which correspond to incoming unsolicited traffic that was
                                                                                                                                            not excepted.
                                                                                                                                            -Successful connections, which correspond to successful incoming and
                                                                                                                                            outgoing connections.
                                                                                                                                            There is no option to log incoming packets (solicited or unsolicited) that were
                                                                                                                                            not dropped.

Computer                     Windows Firewall: Allow    (Not Applicable)   Disabled   CCE-354   HKLM\SOFTWARE\Policies\Microsoft\Win        The Windows Firewall: Allow remote administration exception setting allows
Configuration\Administrative Remote Desktop exception                                           dowsFirewall\StandardProfile\Services\Re    you to specify whether computers running Windows XP with SP2 can be
                                                                                                                                            remotely administered by applications that use TCP ports 135 and 445 (such
Templates\Network\Network                                                                       moteDesktop!Enabled,                        as MMC and WMI). Services that use these ports to communicate are using
Connections\Windows                                                                             HKLM\SOFTWARE\Policies\Microsoft\Win        remote procedure calls (RPC) and Distributed Component Object Model
Firewall\Standard Profile                                                                       dowsFirewall\StandardProfile\Services\Re    (DCOM) to access remote hosts. In effect, Windows Firewall adds
                                                                                                moteDesktop!RemoteAddresses                 Svchost.exe and Lsass.exe to the program exceptions list and allows those
                                                                                                                                            services to open additional, dynamically assigned ports, typically in the range
                                                                                                                                            of 1024 to 1034. Windows Firewall also allows incoming ICMP Echo
                                                                                                                                            messages (also known as the ICMP Echo Request messages).
                                                                                                                                            Default: Remote administration is not allowed.
                                                                                                                                            - Enabled: Windows Firewall allows the computer to receive the unsolicited
                                                                                                                                            incoming messages associated with remote administration. In Allow
                                                                                                                                            unsolicited incoming messages from, type * to specify traffic originating from
                                                                                                                                            any source IPv4 address or a comma-separated list of sources. The sources
                                                                                                                                            can be LocalSubnet to specify traffic originating from a directly reachable IPv4
                                                                                                                                            address or one or more IPv4 addresses or IPv4 address ranges separated by
                                                                                                                                            commas.
                                                                                                                                            -Disabled: Remote administration is not allowed. Windows Firewall blocks
                                                                                                                                            port 135 and does not open 445. Also, in effect, it adds SVCHOST.EXE and
                                                                                                                                            LSASS.EXE to the program exceptions list with the Status of Disabled.
                                                                                                                                            Because disabling this policy setting does not block TCP port 445, it does not
                                                                                                                                            conflict with the Windows Firewall: Allow file and printer sharing exception
                                                                                                                                            setting. This does not prevent these programs from running or their
Computer                     Windows Firewall: Allow      (Not Applicable)   Disabled   CCE-266   HKLM\SOFTWARE\Policies\Microsoft\Win           The Windows Firewall: Allow Remote Desktop exception setting allows you to
Configuration\Administrative UPnP framework exception                                             dowsFirewall\StandardProfile\Services\UPn      specify whether Remote Desktop connections are allowed
                                                                                                                                                 Default: Remote Desktop connections are not allowed. However, local
Templates\Network\Network                                                                         PFramework!Enabled,                            administrators can configure the pre-defined Remote Desktop exception,
Connections\Windows                                                                               HKLM\SOFTWARE\Policies\Microsoft\Win           such as from the Exceptions tab of the Windows Firewall component in
Firewall\Standard Profile                                                                         dowsFirewall\StandardProfile\Services\UPn      Control Panel.Enabled: Remote Desktop connections are allowed. TCP port
                                                                                                  PFramework!RemoteAddresses                     3389 is opened. In Allow unsolicited incoming messages from, type * to
                                                                                                                                                 specify Remote Desktop traffic originating from any source IPv4 address or a
                                                                                                                                                 comma separated list of sources. The sources can be LocalSubnet to specify
                                                                                                                                                 traffic originating from a directly reachable IPv4 address or one or more IPv4
                                                                                                                                                 addresses or IPv4 address ranges separated by commas. IPv4 address
                                                                                                                                                 ranges typically correspond to subnets. For IPv4 addresses, type the IPv4
                                                                                                                                                 address in dotted decimal notation. For IPv4 address ranges, you can specify
                                                                                                                                                 the range using a dotted decimal subnet mask or a prefix length. When you
                                                                                                                                                 use a dotted decimal subnet mask, you can specify the range as an IPv4
                                                                                                                                                 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address
                                                                                                                                                 within the range (such as 10.47.81.231/255.255.255.0). When you use a
                                                                                                                                                 network prefix length, you can specify the range as an IPv4 network ID (such
                                                                                                                                                 as 10.47.81.0/24) or by using an IPv4 address within the range (such as
                                                                                                                                                 10.47.81.231/24). The following is an example list of sources:
                                                                                                                                                 LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0
                                                                                                                                                 ,172.16.31.11/24,172.16.111.0/24
                                                                                                                                                 IPv6 traffic supports the * and LocalSubnet scopes.
                                                                                                                                                 The Windows Firewall: Allow UPnP framework exception setting specifies
Computer                     Windows Firewall: Do not     (Not Applicable)   Enabled    CCE-440   HKLM\SOFTWARE\Policies\Microsoft\Win
Configuration\Administrative allow exceptions                                                     dowsFirewall\StandardProfile!DoNotAllowE whether the ports for UPnP traffic are open
                                                                                                                                           Default: The ports for UPnP traffic are not opened, which prevents the
Templates\Network\Network                                                                         xceptions                                computer from receiving UPnP messages. However, local administrators can
Connections\Windows                                                                                                                              configure the pre-defined UPnP Framework exception, such as from the
Firewall\Standard Profile                                                                                                                        Exceptions tab of the Windows Firewall component in Control Panel.
                                                                                                                                                 -Enabled: The following ports for UPnP traffic are opened:
                                                                                                                                                   -UDP 1900, -TCP 2869
                                                                                                                                                 In Allow unsolicited incoming messages from, type * to specify UPnP traffic
                                                                                                                                                 originating from any source IPv4 address or a comma separated list of
                                                                                                                                                 sources.
                                                                                                                                                 -Disabled: The ports for UPnP traffic are not opened, which prevents the
                                                                                                                                                 computer from receiving unsolicited incoming UPnP messages. Local
                                                                                                                                                 administrators cannot configure the pre-defined UPnP Framework exception.
                                                                                                                                                 Note If you only want to open a subset of the ports that this setting opens,
                                                                                                                                                 leave this setting set to Not Configured and use the Windows Firewall: Define
                                                                                                                                                 port exceptions setting to selectively open ports




Computer                     Windows Firewall: Prohibit   (Not Applicable)   Enabled    CCE-901   HKLM\SOFTWARE\Policies\Microsoft\Win           The Windows Firewall: Prohibit notifications setting specifies whether the
Configuration\Administrative notifications                                                        dowsFirewall\StandardProfile!DisableNotific    Windows Firewall displays notification messages when applications listen on
                                                                                                                                                 a port.
Templates\Network\Network                                                                         ations                                         Default: The notification messages are displayed. However, local
Connections\Windows                                                                                                                              administrators can configure notification behavior, such as the Notify when
Firewall\Standard Profile                                                                                                                        Windows Firewall blocks a program option from the Exceptions tab of the
                                                                                                                                                 Windows Firewall component in Control Panel.
                                                                                                                                                 -Enabled: The notification messages are not displayed.
                                                                                                                                                 -Disabled: The notification messages are displayed. Local administrators
                                                                                                                                                 cannot configure notification behavior. When most applications request an
                                                                                                                                                 open port, Windows Firewall adds the program to the program exceptions list
                                                                                                                                                 with the default status value of Disabled. If you enable this policy setting,
                                                                                                                                                 notifications are not displayed and the status value for the program exception
                                                                                                                                                 remains Disabled until manually changed. f you disable or do not configure
                                                                                                                                                 this policy setting, Windows Firewall displays notification messages. If the
                                                                                                                                                 user is not a local administrator, the message informs them that they might
                                                                                                                                                 need to contact a network administrator, which can alert the network
                                                                                                                                                 administrator about possible malicious programs on the network. If the user
                                                                                                                                                 is a local administrator, and either you have enabled the Windows Firewall:
                                                                                                                                                 Allow local program exceptions setting or you have not configured the
                                                                                                                                                 Windows Firewall: Define program exceptions setting, then the notification
                                                                                                                                                 message allows the user to specify whether to enable the application. If you
Computer                       Windows Firewall: Prohibit   (Not Applicable)   Enabled            CCE-632   HKLM\SOFTWARE\Policies\Microsoft\Win             The Windows Firewall: Prohibit unicast response to multicast or broadcast
Configuration\Administrative   unicast response to                                                          dowsFirewall\StandardProfile!DisableUnica        requests setting specifies whether unicast response message received in
                                                                                                                                                             response to a multicast or broadcast message that was sent by the computer
Templates\Network\Network      multicast or broadcast                                                       stResponseToMulticastBroadcast                   is dropped
Connections\Windows            requests                                                                                                                      Default: Disabled. The received unicast response is accepted (not dropped)
Firewall\Standard Profile                                                                                                                                    if received within 3 seconds. The difference between the Not Configured and
                                                                                                                                                             Disabled settings is based on Group Policy inheritance rules.
                                                                                                                                                             -Enabled: The unicast response to a multicast or broadcast packet sent by
                                                                                                                                                             the computer is dropped.
                                                                                                                                                             This setting has no effect if the unicast message is a response to a DHCP
                                                                                                                                                             broadcast message sent by the computer. Windows Firewall always permits
                                                                                                                                                             DHCP unicast responses. However, this policy setting can interfere with the
                                                                                                                                                             unique NetBIOS name conflict detection process, in which a broadcast-based
                                                                                                                                                             NetBIOS message is sent to register a NetBIOS unique name. If another
                                                                                                                                                             computer on the network is using that same name, there is a name conflict
                                                                                                                                                             and the current name owner sends a unicast NetBIOS Negative Name
                                                                                                                                                             Registration Reply message. If the Windows Firewall drops this message,
                                                                                                                                                             then the computer continues to use the duplicate name. If the computers are
                                                                                                                                                             using Windows Internet Name Service (WINS), then the duplicate name is
                                                                                                                                                             detected via the WINS server.
Computer                     Windows Firewall: Protect all (Not Applicable)    Enabled            CCE-273   HKLM\SOFTWARE\Policies\Microsoft\Win             Default: No change to the status of Windows Firewall is made to any of the
Configuration\Administrative network connections                                                            dowsFirewall\StandardProfile!EnableFirewa        local connections. Local administrators may enable or disable Windows
                                                                                                                                                             Firewall locally, such as from the General tab of the Windows Firewall
Templates\Network\Network                                                                                   ll                                               component in Control Panel.. The Windows Firewall runs unless you enable
Connections\Windows                                                                                                                                          the Prohibit use of Internet Connection Firewall on your DNS domain network
Firewall\Standard Profile                                                                                                                                    Group Policy setting.
                                                                                                                                                             -Enabled: Windows Firewall is enabled to protect all network connections
                                                                                                                                                             and local administrators cannot enable or disable Windows Firewall locally.
                                                                                                                                                             The Prohibit use of Internet Connection Firewall on your DNS domain network
                                                                                                                                                             Group Policy setting is ignored.
                                                                                                                                                             -Disabled: Disables Windows Firewall. Local administrators cannot enable
                                                                                                                                                             the Windows Firewall.

Computer                     Configuration of wireless      Disabled           (Not Applicable)   CCE-734   HKLM\Software\Policies\Microsoft\Window          This policy setting allows the configuration of wireless settings using Windows
Configuration\Administrative settings using Windows                                                         s\WCN\Registrars!EnableRegistrars,               Connect Now (WCN). The WCN Registrar enables the discovery and
                                                                                                                                                             configuration of devices over Ethernet (UPnP), through the Windows Portable
Templates\Network\Window Connect Now                                                                        HKLM\Software\Policies\Microsoft\Window          Device API (WPD), and via USB Flash drives.
s Connect Now                                                                                               s\WCN\Registrars!DisableUPnPRegistrar,           Additional options are available to allow discovery and configuration over a
                                                                                                            HKLM\Software\Policies\Microsoft\Window          specific medium. If this policy setting is enabled, additional choices are
                                                                                                            s\WCN\Registrars!DisableFlashConfigRegi          available to turn off the operations over a specific medium. If this policy
                                                                                                            strar,                                           setting is disabled, operations are disabled over all media. If this policy setting
                                                                                                                                                             is not configured, operations are enabled over all media. The default for this
                                                                                                            HKLM\Software\Policies\Microsoft\Window          policy setting allows operations over all media.
                                                                                                            s\WCN\Registrars!DisableWPDRegistrar,
                                                                                                            HKLM\Software\Policies\Microsoft\Window
                                                                                                            s\WCN\Registrars!MaxWCNDeviceNumber



Computer                     Prohibit Access of the         Enabled            (Not Applicable)   CCE-629   HKLM\Software\Policies\Microsoft\Window This policy setting prohibits access to Windows Connect Now (WCN)
Configuration\Administrative Windows Connect Now                                                            s\WCN\UI!DisableWcnUi                   wizards. If this policy setting is enabled, the wizards are disabled and users
                                                                                                                                                             will have no access to any of the wizard tasks. All the configuration related
Templates\Network\Window wizards                                                                                                                             tasks, including ‘Set up a wireless router or access point’ and ‘Add a wireless
s Connect Now                                                                                                                                                device’, will be disabled. If this policy is disabled or not configured, users will
                                                                                                                                                             have access to the wizard tasks; including ‘Set up a wireless router or access
                                                                                                                                                             point’ and ‘Add a wireless device’. The default for this policy setting allows
                                                                                                                                                             users to access all WCN wizards.
Computer                     Allow remote access to the    Disabled           (Not Applicable)   CCE-593   HKLM\Software\Policies\Microsoft\Window Specifies whether or not remote access to the Plug and Play interface is
Configuration\Administrative PnP interface                                                                 s\DeviceInstall\Settings!AllowRemoteRPC allowed. If you enable this setting, remote connections to the PnP interface
                                                                                                                                                            will be allowed. If you disable or do not configure this setting, PnP interface
Templates\System\Device                                                                                                                                     will not be available remotely.
Installation

Computer                     Do not create system restore Disabled            (Not Applicable)   CCE-849   HKLM\Software\Policies\Microsoft\Window          Specifies whether or not a system restore point is created when a new device
Configuration\Administrative point when new device driver                                                  s\DeviceInstall\Settings!DisableSystemRes        driver is installed on your machine. If you enable this setting, system restore
                                                                                                                                                            points will not be created when a new device driver is installed or updated.
Templates\System\Device      installed                                                                     tore                                             If you disable or do not configure this setting, a system restore point will be
Installation                                                                                                                                                created whenever a new driver is installed or an existing device driver is
                                                                                                                                                            updated.


Computer                     Do not send a Windows           Enabled          (Not Applicable)   CCE-571   HKLM\Software\Policies\Microsoft\Window          Specifies whether or not to send a Windows Error Report when a generic
Configuration\Administrative Error Report when a generic                                                   s\DeviceInstall\Settings!DisableSendGeneri       driver is installed on a device. If you enable this setting, a Windows Error
                                                                                                                                                            Report will not be sent when a generic driver is installed. If you disable or do
Templates\System\Device      driver is installed on a device                                               cDriverNotFoundToWER                             not configure this setting, a Windows Error Report will be sent when a generic
Installation                                                                                                                                                driver is installed.

Computer                     Turn off Windows Update     Enabled              (Not Applicable)   CCE-927   HKLM\Software\Policies\Microsoft\Window          Specifies whether the administrator will be prompted about going to Windows
Configuration\Administrative device driver search prompt                                                   s\DriverSearching!DontPromptForWindows           Update to search for device drivers using the Internet.
                                                                                                                                                            Note: This setting only has effect if "Turn off Windows Update device driver
Templates\System                                                                                           Update                                           searching" in "Administrative Templates/System/Internet Communication
                                                                                                                                                            Management/Internet Communication settings" is disabled or not configured.
                                                                                                                                                            If you enable this setting, administrators will not be prompted to search
                                                                                                                                                            Windows Update.
                                                                                                                                                            If you disable or do not configure this setting, and "Turn off Windows Update
                                                                                                                                                            device driver searching" is disabled or not configured, the administrator will
                                                                                                                                                            be prompted for consent before going to Windows Update to search for
                                                                                                                                                            device drivers.


Computer                     Display Error Notification    (Not Applicable)   Disabled           CCE-259                                                    Use this setting to control whether or not a user is given the choice to report
Configuration\Administrative                                                                                                                                an error. When Display Error Notification is enabled, the user will be notified
                                                                                                                                                            that an error has occurred and will be given access to details about the error.
Templates\System\Error                                                                                                                                      If the Configure Error Reporting setting is also enabled, the user will also be
Reporting                                                                                                                                                   given the choice of whether to report the error. When Display Error
                                                                                                                                                            Notification is not enabled, the user will not be given the choice of whether to
                                                                                                                                                            report the error. If the Configure Error Reporting setting is enabled, the error
                                                                                                                                                            will be automatically reported, but the user will not be notified that an error
                                                                                                                                                            has occurred. Disabling this setting is useful for server machines that do not
                                                                                                                                                            have interactive users. If you do not configure this setting, the user will be
                                                                                                                                                            able to adjust the setting via the control panel, which is set to 'enable
                                                                                                                                                            notification' by default on Windows XP Personal and Windows XP
                                                                                                                                                            Professional machines and 'disable notification' on servers.
                                                                                                                                                            Also, see the "Configure Error Reporting" policy.
Computer                     Internet Explorer            Not Configured      Not Configured   CCE-365   HKLM\Software\Policies\Microsoft\Window          Determines when Internet Explorer Maintenance policies are updated. This
Configuration\Administrative Maintenance policy                                                          s\Group Policy\{A2E30F80-D7DE-11d2-              setting affects all policies that use the Internet Explorer Maintenance
                                                                                                                                                          component of Group Policy, such as those in Windows Settings\Internet
Templates\System\Group       processing                                                                  BBDE-00C04F86AE3B}!NoSlowLink,                   Explorer Maintenance. It overrides customized settings that the program
Policy                                                                                                   HKLM\Software\Policies\Microsoft\Window          implementing the Internet Explorer Maintenance policy set when it was
                                                                                                         s\Group Policy\{A2E30F80-D7DE-11d2-              installed. If you enable this setting, you can use the check boxes provided to
                                                                                                         BBDE-                                            change the options. If you disable this setting or do not configure it, it has no
                                                                                                         00C04F86AE3B}!NoBackgroundPolicy,                effect on the system. The "Allow processing across a slow network
                                                                                                                                                          connection" option updates the policies even when the update is being
                                                                                                         HKLM\Software\Policies\Microsoft\Window          transmitted across a slow network connection, such as a telephone line.
                                                                                                         s\Group Policy\{A2E30F80-D7DE-11d2-              Updates across slow connections can cause significant delays. The "Do not
                                                                                                         BBDE-                                            apply during periodic background processing" option prevents the system
                                                                                                         00C04F86AE3B}!NoGPOListChanges                   from updating affected policies in the background while the computer is in
                                                                                                                                                          use. When background updates are disabled, policy changes will not take
                                                                                                                                                          effect until the next user logon or system restart. The "Process even if the
                                                                                                                                                          Group Policy objects have not changed" option updates and reapplies the
                                                                                                                                                          policies even if the policies have not changed. Many policy implementations
                                                                                                                                                          specify that they are updated only when changed. However, you might want
Computer                     Registry policy processing   Enabled: Process    Enabled: Process CCE-584   HKLM\Software\Policies\Microsoft\Window          Determines when registry policies are reapplying a desired affects all
                                                                                                                                                          to update unchanged policies, such asupdated. This setting setting in case a
Configuration\Administrative                              even if the Group   even if the Group          s\Group Policy\{35378EAC-683F-11D2-              policies in the Administrative Templates folder and any other policies that
                                                                                                                                                          store values in the registry. It overrides customized settings that the program
Templates\System\Group                                    Policy objects      Policy objects             A89A-                                            implementing a registry policy set when it was installed. If you enable this
Policy                                                    have not changed.   have not changed.          00C04FBBCFA2}!NoBackgroundPolicy,                setting, you can use the check boxes provided to change the options. If you
                                                                                                         HKLM\Software\Policies\Microsoft\Window          disable this setting or do not configure it, it has no effect on the system.
                                                                                                         s\Group Policy\{35378EAC-683F-11D2-              The "Do not apply during periodic background processing" option prevents
                                                                                                         A89A-                                            the system from updating affected policies in the background while the
                                                                                                                                                          computer is in use. When background updates are disabled, policy changes
                                                                                                         00C04FBBCFA2}!NoGPOListChanges                   will not take effect until the next user logon or system restart. The "Process
                                                                                                                                                          even if the Group Policy objects have not changed" option updates and
                                                                                                                                                          reapplies the policies even if the policies have not changed. Many policy
                                                                                                                                                          implementations specify that they are updated only when changed. However,
                                                                                                                                                          you might want to update unchanged policies, such as reapplying a desired
                                                                                                                                                          setting in case a user has changed it.




Computer                     Turn off Automatic Root      Enabled             Enabled          CCE-858   HKLM\Software\Policies\Microsoft\SystemC         Specifies whether to automatically update root certificates using the Windows
Configuration\Administrative Certificates Update                                                         ertificates\AuthRoot!DisableRootAutoUpdat        Update Web site. Typically, a certificate is used when you use a secure Web
                                                                                                                                                          site or when you send and receive secure e-mail. Anyone can issue
Templates\System\Internet                                                                                e                                                certificates, but to have transactions that are as secure as possible,
Communication                                                                                                                                             certificates must be issued by a trusted certificate authority (CA). Microsoft
Management\Internet                                                                                                                                       has included a list in Windows XP and other products of companies and
Communication settings                                                                                                                                    organizations that it considers trusted authorities. If you enable this setting,
                                                                                                                                                          when you are presented with a certificate issued by an untrusted root
                                                                                                                                                          authority your computer will not contact the Windows Update web site to see
                                                                                                                                                          if Microsoft has added the CA to its list of trusted authorities. If you disable or
                                                                                                                                                          do not configure this setting, your computer will contact the Windows Update
                                                                                                                                                          Web site.


Computer                     Turn off downloading of print Enabled            Enabled          CCE-887   HKLM\Software\Policies\Microsoft\Window Specifies whether to allow this client to download print driver packages over
Configuration\Administrative drivers over HTTP                                                           s NT\Printers!DisableWebPnPDownload     HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded
                                                                                                                                                          over HTTP.
Templates\System\Internet                                                                                                                                 Note: This setting does not prevent the client from printing to printers on the
Communication                                                                                                                                             Intranet or the Internet over HTTP. It only prohibits downloading drivers that
Management\Internet                                                                                                                                       are not already installed locally.
Communication settings                                                                                                                                    If you enable this setting, print drivers will not be downloaded over HTTP.
                                                                                                                                                          If you disable this setting or do not configure it, users will be able to download
                                                                                                                                                          print drivers over HTTP.
Computer                     Turn off Event Viewer         Disabled   Disabled           CCE-263    HKLM\Software\Policies\Microsoft\EventVie Specifies whether "Events.asp" hyperlinks are available for events within the
Configuration\Administrative "Events.asp" links                                                     wer!MicrosoftEventVwrDisableLinks         Event Viewer application. The Event Viewer normally makes all HTTP(S)
                                                                                                                                                     URLs into hot links that activate the Internet browser when clicked. In
Templates\System\Internet                                                                                                                            addition, "More Information" is placed at the end of the description text if the
Communication                                                                                                                                        event is created by a Microsoft component. This text contains a link (URL)
Management\Internet                                                                                                                                  that, if clicked, sends information about the event to Microsoft, and allows
Communication settings                                                                                                                               users to learn more about why that event occurred.
                                                                                                                                                     If you enable this setting, event description URL links are not activated and
                                                                                                                                                     the text "More Information" is not displayed at the end of the description.
                                                                                                                                                     If you disable or do not configure this setting, the user can click the hyperlink
                                                                                                                                                     which prompts the user and then sends information about the event over the
                                                                                                                                                     internet to Microsoft. Also, see "Events.asp URL", "Events.asp program",
                                                                                                                                                     and "Events.asp Program Command Line Parameters" settings in
                                                                                                                                                     "Administrative Templates/Windows Components/Event Viewer".




Computer                     Turn off handwriting          Enabled    (Not Applicable)   CCE-430    HKLM\Software\Policies\Microsoft\Window          Turns off the handwriting recognition error reporting tool.
Configuration\Administrative recognition error reporting                                            s\HandwritingErrorReports!PreventHandwri         The handwriting recognition error reporting tool enables users to report errors
                                                                                                                                                     encountered in Tablet PC Input Panel. The tool generates error reports and
Templates\System\Internet                                                                           tingErrorReports                                 transmits them to Microsoft over a secure connection. Microsoft uses these
Communication                                                                                                                                        error reports to improve handwriting recognition in future versions of
Management\Internet                                                                                                                                  Windows.
Communication settings                                                                                                                               If you enable this policy, users cannot start the handwriting recognition error
                                                                                                                                                     reporting tool or send error reports to Microsoft. If you disable this policy,
                                                                                                                                                     Tablet PC users can report handwriting recognition errors to Microsoft.
                                                                                                                                                     If you do not configure this policy Tablet PC users can report handwriting
                                                                                                                                                     recognition errors to Microsoft.


Computer                     Turn off Internet Connection Enabled     Enabled            CCE-1055   HKLM\Software\Policies\Microsoft\Window          Specifies whether the Internet Connection Wizard can connect to Microsoft to
Configuration\Administrative Wizard if URL connection is                                            s\Internet Connection                            download a list of Internet Service Providers (ISPs). If you enable this setting,
                                                                                                                                                     the "Choose a list of Internet Service Providers" path in the Internet
Templates\System\Internet referring to Microsoft.com                                                Wizard!ExitOnMSICW                               Connection Wizard will cause the wizard to exit. This prevents users from
Communication                                                                                                                                        retrieving the list of ISPs, which resides on Microsoft servers. If you disable
Management\Internet                                                                                                                                  or do not configure this setting, users will be able to connect to Microsoft to
Communication settings                                                                                                                               download a list of ISPs for their area.


Computer                     Turn off Internet download    Enabled    Enabled            CCE-691    HKLM\Software\Microsoft\Windows\Current Specifies whether Windows should download a list of providers for the Web
Configuration\Administrative for Web publishing and                                                 Version\Policies\Explorer!NoWebServices publishing and online ordering wizards. These wizards allow users to select
                                                                                                                                                     from a list of companies that provide services such as online storage and
Templates\System\Internet online ordering wizards                                                                                                    photographic printing. By default, Windows displays providers downloaded
Communication                                                                                                                                        from a Windows Web site in addition to providers specified in the registry.
Management\Internet                                                                                                                                  If you enable this setting, Windows will not download providers and only the
Communication settings                                                                                                                               service providers that are cached in the local registry will be displayed.
                                                                                                                                                     If you disable or do not configure this setting, a list of providers will be
                                                                                                                                                     downloaded when the user uses the Web publishing or online ordering
                                                                                                                                                     wizards. See the documentation for the Web publishing and online ordering
                                                                                                                                                     wizards for more information, including details on specifying service providers
                                                                                                                                                     in the registry.




Computer                     Turn off Internet File        Enabled    Enabled            CCE-1064   HKLM\Software\Microsoft\Windows\Current          Specifies whether to use the Microsoft Web service for finding an application
Configuration\Administrative Association service                                                    Version\Policies\Explorer!NoInternetOpen         to open a file with an unhandled file association. When a user opens a file
                                                                                                                                                     that has an extension that is not associated with any applications on the
Templates\System\Internet                                                                           With                                             machine, the user is given the choice to choose a local application or use the
Communication                                                                                                                                        Web service to find an application. If you enable this setting, the link and the
Management\Internet                                                                                                                                  dialog for using the Web service to open an unhandled file association are
Communication settings                                                                                                                               removed. If you disable or do not configure this setting, the user will be
                                                                                                                                                     allowed to use the Web service.
Computer                     Turn off printing over HTTP    Enabled   Enabled   CCE-852    HKLM\Software\Policies\Microsoft\Window Specifies whether to allow printing over HTTP from this client.
Configuration\Administrative                                                               s NT\Printers!DisableHTTPPrinting       Printing over HTTP allows a client to print to printers on the intranet as well as
                                                                                                                                             the Internet.
Templates\System\Internet                                                                                                                    Note: This setting affects the client side of Internet printing only. It does not
Communication                                                                                                                                prevent this machine from acting as an Internet Printing server and making its
Management\Internet                                                                                                                          shared printers available via HTTP.
Communication settings                                                                                                                       If you enable this setting, it prevents this client from printing to Internet
                                                                                                                                             printers over HTTP. If you disable or do not configure this setting, users will
                                                                                                                                             be able to choose to print to Internet printers over HTTP.
                                                                                                                                             Also see the "Web-based Printing" setting in Computer
                                                                                                                                             Configuration/Administrative Templates/Printers.

Computer                     Turn off Registration if URL   Enabled   Enabled   CCE-88     HKLM\Software\Policies\Microsoft\Window           Specifies whether the Windows Registration Wizard connects to
Configuration\Administrative connection is referring to                                    s\Registration Wizard                             Microsoft.com for online registration. If you enable this setting, it blocks users
                                                                                                                                             from connecting to Microsoft.com for online registration and users cannot
Templates\System\Internet Microsoft.com                                                    Control!NoRegistration                            register their copy of Windows online. If you disable or do not configure this
Communication                                                                                                                                setting, users can connect to Microsoft.com to complete the online Windows
Management\Internet                                                                                                                          Registration. Note that registration is optional and involves submitting some
Communication settings                                                                                                                       personal information to Microsoft. However, Windows Product Activation is
                                                                                                                                             required but does not involve submitting any personal information (except the
                                                                                                                                             country/region you live in).


Computer                     Turn off Search Companion Enabled        Enabled   CCE-818    HKLM\Software\Policies\Microsoft\SearchC Specifies whether Search Companion should automatically download content
Configuration\Administrative content file updates                                          ompanion!DisableContentFileUpdates       updates during local and Internet searches. When the user searches the
                                                                                                                                             local machine or the Internet, Search Companion occasionally connects to
Templates\System\Internet                                                                                                                    Microsoft to download an updated privacy policy and additional content files
Communication                                                                                                                                used to format and display results. If you enable this setting, Search
Management\Internet                                                                                                                          Companion will not download content updates during searches.
Communication settings                                                                                                                       If you disable or do not configure this setting, Search Companion will
                                                                                                                                             download content updates unless the user is using Classic Search.
                                                                                                                                             Note: Internet searches will still send the search text and information about
                                                                                                                                             the search to Microsoft and the chosen search provider. Choosing Classic
                                                                                                                                             Search will turn off the Search Companion feature completely.




Computer                     Turn off the "Order Prints"    Enabled   Enabled   CCE-375    HKLM\Software\Microsoft\Windows\Current           Specifies whether the "Order Prints Online" task is available from Picture
Configuration\Administrative picture task                                                  Version\Policies\Explorer!NoOnlinePrintsW         Tasks in Windows folders. The "Order Prints Online" Wizard is used to
                                                                                                                                             download a list of providers and allow users to order prints online.
Templates\System\Internet                                                                  izard                                             If you enable this setting, the task "Order Prints Online" is removed from
Communication                                                                                                                                Picture Tasks in Windows Explorer folders. If you disable or do not configure
Management\Internet                                                                                                                          this setting, the task is displayed.
Communication settings

Computer                     Turn off the "Publish to       Enabled   Enabled   CCE-1009   HKLM\Software\Microsoft\Windows\Current           Specifies whether the tasks "Publish this file to the Web," "Publish this folder
Configuration\Administrative Web" task for files and                                       Version\Policies\Explorer!NoPublishingWiz         to the Web," and "Publish the selected items to the Web," are available from
                                                                                                                                             File and Folder Tasks in Windows folders. The Web Publishing Wizard is
Templates\System\Internet folders                                                          ard                                               used to download a list of providers and allow users to publish content to the
Communication                                                                                                                                Web. If you enable this setting, these tasks are removed from the File and
Management\Internet                                                                                                                          Folder tasks in Windows folders. If you disable or do not configure this
Communication settings                                                                                                                       setting, the tasks will be shown.
Computer                       Turn off the Windows     Enabled   Enabled   CCE-722    HKLM\Software\Policies\Microsoft\Messeng Specifies whether Windows Messenger collects anonymous information
Configuration\Administrative   Messenger Customer                                      er\Client!CEIP                           about how Windows Messenger software and service is used. With the
                                                                                                                                      Customer Experience Improvement program, users can allow Microsoft to
Templates\System\Internet      Experience Improvement                                                                                 collect anonymous information about how the product is used. This
Communication                  Program                                                                                                information is used to improve the product in future releases. If you enable
Management\Internet                                                                                                                   this setting, Windows Messenger will not collect usage information and the
Communication settings                                                                                                                user settings to enable the collection of usage information will not be shown.
                                                                                                                                      If you disable this setting, Windows Messenger will collect anonymous usage
                                                                                                                                      information and the setting will not be shown. If you do not configure this
                                                                                                                                      setting, users will have the choice to opt-in and allow information to be
                                                                                                                                      collected.


Computer                     Turn off Windows Error     Enabled   Enabled   CCE-592    HKLM\Software\Policies\Microsoft\PCHealt       Controls whether or not errors are reported to Microsoft. Error Reporting is
Configuration\Administrative Reporting                                                 h\ErrorReporting!DoReport,                     used to report information about a system or application that has failed or has
                                                                                                                                      stopped responding and is used to improve the quality of the product.
Templates\System\Internet                                                              HKLM\Software\Policies\Microsoft\Window        If you enable this setting, users will not be given the option to report errors.
Communication                                                                          s\Windows Error Reporting!Disabled             If you disable or do not configure this setting, the errors may be reported to
Management\Internet                                                                                                                   Microsoft via the Internet or to a corporate file share. This setting overrides
Communication settings                                                                                                                any user setting made from the Control Panel for error reporting.
                                                                                                                                      Also see “Configure Error Reporting", "Display Error Notification" and
                                                                                                                                      "Disable Windows Error Reporting" settings under Computer
                                                                                                                                      Configuration/Administrative Templates/Windows Components/Windows
                                                                                                                                      Error Reporting.




Computer                     Turn off Windows Movie     Enabled   Enabled   CCE-1040   HKLM\Software\Policies\Microsoft\Window Note: Applies to Windows Movie Maker 2.1 only.
Configuration\Administrative Maker automatic codec                                     sMovieMaker!CodecDownload               Specifies whether Windows Movie Maker automatically downloads codecs.
                                                                                                                                      Windows Movie Maker can be configured so that codecs are downloaded
Templates\System\Internet downloads                                                                                                   automatically if the required codecs are not installed on the computer.
Communication                                                                                                                         If you enable this setting, Windows Movie Maker will not attempt to download
Management\Internet                                                                                                                   missing codecs for imported audio and video files. If you disable or do not
Communication settings                                                                                                                configure this setting, Windows Movie Maker might attempt to download
                                                                                                                                      missing codecs for imported audio and video files.




Computer                     Turn off Windows Movie     Enabled   Enabled   CCE-1062   HKLM\Software\Policies\Microsoft\Window Specifies whether links to Web sites are available in Windows Movie Maker.
Configuration\Administrative Maker online Web links                                    sMovieMaker!WebHelp                     These links include the "Windows Movie Maker on the Web" and "Privacy
                                                                                                                                      Statement" commands that appear on the Help menu. The "Windows Movie
Templates\System\Internet                                                                                                             Maker on the Web" command lets users go directly to the Windows Movie
Communication                                                                                                                         Maker Web site to get more information, and the "Privacy Statement"
Management\Internet                                                                                                                   command lets users view information about privacy issues in respect to
Communication settings                                                                                                                Windows Movie Maker. If you enable this setting, the previously mentioned
                                                                                                                                      links to Web sites from Windows Movie Maker are disabled and cannot be
                                                                                                                                      selected. If you disable or do not configure this setting, the previously
                                                                                                                                      mentioned links to Web sites from Windows Movie Maker are enabled and
                                                                                                                                      can be selected.
Computer                     Turn off Windows Movie       Enabled         Enabled          CCE-93     HKLM\Software\Policies\Microsoft\Window Note: Applies to Windows Movie Maker 2.1 only
Configuration\Administrative Maker saving to online video                                             sMovieMaker!WebPublish                  Specifies whether users can send a final movie to a video hosting provider on
                                                                                                                                                       the Web by choosing "The Web" saving option in the Save Movie Wizard of
Templates\System\Internet hosting provider                                                                                                             Windows Movie Maker. When users create a movie in Windows Movie
Communication                                                                                                                                          Maker, they can choose to share it in a variety of ways through the Save
Management\Internet                                                                                                                                    Movie Wizard. "The Web" saving option lets users send their movies to a
Communication settings                                                                                                                                 video hosting provider. If you enable this setting, users cannot choose "The
                                                                                                                                                       Web" saving option in the Save Movie Wizard of Windows Movie Maker and
                                                                                                                                                       cannot send a movie to a video hosting provider on the Web. If you disable
                                                                                                                                                       or do not configure this setting, users can choose "The Web" saving option in
                                                                                                                                                       the Save Movie Wizard of Windows Movie Maker and can send a movie to a
                                                                                                                                                       video hosting provider on the Web.


Computer                     Turn off Windows Update     Enabled          Enabled          CCE-927    HKLM\SOFTWARE\Policies\Microsoft\Win             This policy specifies whether Windows searches Windows Update for device
Configuration\Administrative device driver searching                                                  dows\DriverSearching!DontSearchWindow            drivers when no local drivers for a device are present. If you enable this
                                                                                                                                                       setting, Windows Update will not be searched when a new device is installed.
Templates\System\Internet                                                                             sUpdate                                          If you disable this setting, Windows Update will always be searched for
Communication                                                                                                                                          drivers when no local drivers are present. If you do not configure this setting,
Management\Internet                                                                                                                                    searching Windows Update will be optional when installing a device.
Communication settings                                                                                                                                 Also see "Turn off Windows Update device driver search prompt" in
                                                                                                                                                       "Administrative Templates/System" which governs whether an administrator
                                                                                                                                                       is prompted before searching Windows Update for device drivers if a driver is
                                                                                                                                                       not found locally.



Computer                     Always use classic logon    Enabled          Enabled          CCE-231    HKLM\Software\Microsoft\Windows\Current This setting forces the user to log on to the computer using the classic logon
Configuration\Administrative                                                                          Version\Policies\System!LogonType       screen. By default, a workgroup is set to use the simple logon screen. This
                                                                                                                                                       setting only works when the computer is not on a domain.
Templates\System\Logon

Computer                     Do not process the run once Not Configured   Not Configured   CCE-583    HKLM\Software\Microsoft\Windows\Current          Ignores customized run-once lists. You can create a customized list of
Configuration\Administrative list                                                                     Version\Policies\Explorer!DisableLocalMac        additional programs and documents that are started automatically the next
                                                                                                                                                       time the system starts (but not thereafter). These programs are added to the
Templates\System\Logon                                                                                hineRunOnce                                      standard list of programs and services that the system starts. If you enable
                                                                                                                                                       this setting, the system ignores the run-once list. If you disable this setting or
                                                                                                                                                       do not configure it, the system runs the programs in the run-once list.
                                                                                                                                                       This setting appears in the Computer Configuration and User Configuration
                                                                                                                                                       folders. If both settings are configured, the setting in Computer Configuration
                                                                                                                                                       takes precedence over the setting in User Configuration.
                                                                                                                                                       Note: Customized run-once lists are stored in the registry in
                                                                                                                                                       HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                       Once.




Computer                     Don't display the Getting   Enabled          Enabled          CCE-1020   HKLM\Software\Microsoft\Windows\Current          Suppresses the welcome screen.
Configuration\Administrative Started welcome screen at                                                Version\Policies\Explorer!NoWelcomeScre          This setting hides the welcome screen that is displayed on Windows 2000
                                                                                                                                                       Professional each time the user logs on. Users can still display the welcome
Templates\System\Logon       logon                                                                    en                                               screen by selecting it on the Start menu or by typing "Welcome" in the Run
                                                                                                                                                       dialog box.
Computer                     Turn off Windows Startup   Not Configured   (Not Applicable)   CCE-681    HKLM\Software\Microsoft\Windows\Current    Turn off the Windows Startup sound and prevent its customization in the
Configuration\Administrative Sound                                                                     Version\Policies\System!DisableStartupSo   Sound item of Control Panel. The Microsoft Windows Startup sound is heard
                                                                                                                                                  during system startup and cold startup and can be turned on or off in the
Templates\System\Logon                                                                                 und                                        Sound item of Control Panel. Enabling or disabling this setting will
                                                                                                                                                  automatically prevent users from customizing the default behavior of the
                                                                                                                                                  Windows Startup sound. If this policy setting is enabled, the Windows
                                                                                                                                                  Startup sound will be turned off for all users. If this policy setting is disabled,
                                                                                                                                                  the Windows Startup sound will be turned on for all users. If this policy
                                                                                                                                                  setting is not configured, the Windows Startup sound will be turned on for all
                                                                                                                                                  users by default and customizable in the Sound item of Control Panel.``This
                                                                                                                                                  policy setting does not prevent users from setting preferences for other
                                                                                                                                                  system sounds.


Computer                     Require a Password When a Enabled           (Not Applicable)   CCE-346    HKLM\Software\Policies\Microsoft\Power\P   Specifies whether or not the user is prompted for a password when the
Configuration\Administrative Computer Wakes (On                                                        owerSettings\0e796bdb-100d-47d6-a2d5-      system resumes from sleep. If you enable this policy, or if it is not
                                                                                                                                                  configured, the user is prompted for a password when the system resumes
Templates\System\Power       Battery)                                                                  f7d2daa51f51!DCSettingIndex                from sleep.
Management\Sleep Settings                                                                                                                         If you disable this policy, the user is not prompted for a password when the
                                                                                                                                                  system resumes from sleep.


Computer                     Require a Password When a Enabled           (Not Applicable)   CCE-1011   HKLM\Software\Policies\Microsoft\Power\P   Specifies whether or not the user is prompted for a password when the
Configuration\Administrative Computer Wakes (Plugged                                                   owerSettings\0e796bdb-100d-47d6-a2d5-      system resumes from sleep. If you enable this policy, or if it is not configured,
                                                                                                                                                  the user is prompted for a password when the system resumes from sleep.
Templates\System\Power       In)                                                                       f7d2daa51f51!ACSettingIndex                If you disable this policy, the user is not prompted for a password when the
Management\Sleep Settings                                                                                                                         system resumes from sleep.



Computer                     Offer Remote Assistance    Disabled         Disabled           CCE-434    HKLM\Software\policies\Microsoft\Windows   Use this policy setting to determine whether or not a support person or IT
Configuration\Administrative                                                                           NT\Terminal Services!fAllowUnsolicited,    admin (who is termed the "expert") can offer remote assistance to this
                                                                                                                                                  computer without a user explicitly requesting it first via a channel, e-mail, or
Templates\System\Remote                                                                                HKLM\Software\policies\Microsoft\Windows   instant messenger. Using this policy setting, an expert can offer remote
Assistance                                                                                             NT\Terminal                                assistance to this computer. The expert cannot connect to the computer
                                                                                                       Services!fAllowUnsolicitedFullControl,     unannounced or control it without permission from the user. When the expert
                                                                                                       HKLM\Software\policies\Microsoft\Windows   tries to connect, the user is still given a chance to accept or deny the
                                                                                                       NT\Terminal Services\RAUnsolicit           connection (giving the expert view-only privileges to the user's desktop), and
                                                                                                                                                  thereafter the user has to explicitly click a button to give the expert the ability
                                                                                                                                                  to remotely control the desktop, if remote control is enabled. If you enable
                                                                                                                                                  this policy setting, Remote Assistance can be offered to users logged on to
                                                                                                                                                  the machine. You have two options as to how Helpers can provide Remote
                                                                                                                                                  Assistance: "Allow helpers to only view the computer" or "Allow helpers to
                                                                                                                                                  remotely control the computer." In addition to making this selection, when you
                                                                                                                                                  configure this policy setting you also specify the list of users or user groups
                                                                                                                                                  that will be allowed to offer remote assistance. These are known as "helpers.
Computer                     Solicited Remote Assistance Disabled        Disabled           CCE-859   ################################## Specifies whether users can solicit another user’s assistance via Remote
Configuration\Administrative                                                                                                                         Assistance. If you enable this policy setting, a user can send a Remote
                                                                                                                                                     Assistance invitation to a person ("expert") at another computer. If given
Templates\System\Remote                                                                                                                              subsequent permission by the user, the expert can use this invitation to view
Assistance                                                                                                                                           user's screen, mouse, and keyboard activity in real time. The "Permit remote
                                                                                                                                                     control of this computer" option specifies whether a user on a different
                                                                                                                                                     computer can control this computer. If a user invites an expert to connect to
                                                                                                                                                     the computer, and gives permission, the expert can take control of this
                                                                                                                                                     computer. The expert can only make requests to take control during a
                                                                                                                                                     Remote Assistance session. The user can stop remote control at any time.
                                                                                                                                                     The "Maximum ticket time" setting sets a limit on the amount of time that a
                                                                                                                                                     Remote Assistance invitation can remain open. The "Method for sending e-
                                                                                                                                                     mail invitations" option specifies which e-mail standard to use to send Remote
                                                                                                                                                     Assistance invitations. Depending on your e-mail program, you can use either
                                                                                                                                                     the Mailto (the invitation recipient connects through an Internet link) or SMAPI
                                                                                                                                                     (Simple MAPI) standard (the invitation is attached to your e-mail message).
                                                                                                                                                     The e-mail program must support the selected e-mail standard. This option is
                                                                                                                                                     applicable to Windows Server 2003 only. If you disable this policy setting,
                                                                                                                                                     users cannot request Remote Assistance and this computer cannot be
                                                                                                                                                     controlled from another computer.
Computer                     Turn on session logging    Enabled          (Not Applicable)   CCE-835                                                  An expert can connect to you to turn logging on or off. Log files are located the
                                                                                                                                                     This policy setting allows this computer only with the explicit permission of in
Configuration\Administrative                                                                                                                         the user's Documents folder under Remote Assistance. If you enable this
                                                                                                                                                     policy setting, log files will be generated. If you disable this policy setting, log
Templates\System\Remote                                                                                                                              files will not be generated. If you do not configure this setting, application-
Assistance                                                                                                                                           based settings will be used.

Computer                     Restrictions for            Enabled:        Enabled:           CCE-423   HKLM\Software\Policies\Microsoft\Window If you enable this setting, it directs the RPC Runtime on an RPC server to
Configuration\Administrative Unauthenticated RPC clients Authenticated   Authenticated                s NT\Rpc!RestrictRemoteClients          restrict unauthenticated RPC clients connecting to RPC servers running on a
                                                                                                                                                     machine. A client will be considered an authenticated client if it uses a named
Templates\System\Remote                                                                                                                              pipe to communicate with the server or if it uses RPC Security. RPC
Procedure Call                                                                                                                                       Interfaces that have specifically asked to be accessible by unauthenticated
                                                                                                                                                     clients may be exempt from this restriction, depending on the selected value
                                                                                                                                                     for this policy.
                                                                                                                                                     If you disable this setting or do not configure it, the value of Authenticated will
                                                                                                                                                     be used for Windows XP and the value of None will be used for Server SKUs
                                                                                                                                                     that support this policy setting. If you enable it, the following values are
                                                                                                                                                     available:
                                                                                                                                                     -"None" allows all RPC clients to connect to RPC Servers running on the
                                                                                                                                                     machine on which the policy is applied.
                                                                                                                                                     -"Authenticated" allows only authenticated RPC Clients (per the definition
                                                                                                                                                     above) to connect to RPC Servers running on the machine on which the
                                                                                                                                                     policy is applied. Interfaces that have asked to be exempt from this restriction
                                                                                                                                                     will be granted an exemption.
                                                                                                                                                     -"Authenticated without exceptions" allows only authenticated RPC Clients
                                                                                                                                                     (per the definition above) to connect to RPC Servers running on the machine
                                                                                                                                                     on which the policy is applied. No exceptions are allowed.
Computer                     RPC Endpoint Mapper Client Enabled          Enabled            CCE-145   HKLM\Software\Policies\Microsoft\Window        Enabling this setting directs not be applied until the system is rebooted.
                                                                                                                                                     Note: This policy setting will RPC Clients that need to communicate with the
Configuration\Administrative Authentication                                                           s NT\Rpc!EnableAuthEpResolution                Endpoint Mapper Service to authenticate as long as the RPC call for which
                                                                                                                                                     the endpoint needs to be resolved has authentication information. Disabling
Templates\System\Remote                                                                                                                              this setting will cause RPC Clients that need to communicate with the
Procedure Call                                                                                                                                       Endpoint Mapper Service to not authenticate. The Endpoint Mapper Service
                                                                                                                                                     on machines running Windows NT4 (all service packs) cannot process
                                                                                                                                                     authentication information supplied in this manner. This means that enabling
                                                                                                                                                     this setting on a client machine will prevent that client from communicating
                                                                                                                                                     with a Windows NT4 server using RPC if endpoint resolution is needed.
                                                                                                                                                     By default, RPC Clients will not use authentication to communicate with the
                                                                                                                                                     RPC Server Endpoint Mapper Service when asking for the endpoint of a
                                                                                                                                                     server.
                                                                                                                                                     Note: This policy will not be applied until the system is rebooted.
Computer                     Approved Installation Sites   Not Configured.    (Not Applicable)   CCE-836   HKLM\SOFTWARE\Policies\Microsoft\Win             The ActiveX Installer Service is the solution to delegate the install of per-
Configuration\Administrative for ActiveX Controls                                                          dows\AxInstaller!ApprovedList,                   machine ActiveX controls to a Standard User in the enterprise. The list of
                                                                                                                                                            Approved ActiveX Install sites contains the host URL and the policy settings
Templates\Windows                                                                                          HKLM\SOFTWARE\Policies\Microsoft\Win             for each host URL. Wild cards are not supported.
Components\ActiveX                                                                                         dows\AxInstaller\ApprovedActiveXInstallSit
Installer Service                                                                                          es
Computer                     Turn off Autoplay             Enabled:All Drives (Not Applicable)   CCE-44    HKLM\Software\Microsoft\Windows\Current          Turns off the Autoplay feature.
Configuration\Administrative                                                                               Version\Policies\Explorer!NoDriveTypeAuto        Autoplay begins reading from a drive as soon as you insert media in the
                                                                                                                                                            drive. As a result, the setup file of programs and the music on audio media
Templates\Windows                                                                                          Run                                              start immediately. Prior to XP SP2, Autoplay is disabled by default on
Components\AutoPlay                                                                                                                                         removable drives, such as the floppy disk drive (but not the CD-ROM drive),
Policies                                                                                                                                                    and on network drives. Starting with XP SP2, Autoplay is enabled for
                                                                                                                                                            removable drives as well, including ZIP drives and some USB Mass Storage
                                                                                                                                                            devices.
                                                                                                                                                            If you enable this setting, you can disable Autoplay on CD-ROM and
                                                                                                                                                            removable media drives, or disable Autoplay on all drives. This setting
                                                                                                                                                            disables Autoplay on additional types of drives. You cannot use this setting to
                                                                                                                                                            enable Autoplay on drives on which it is disabled by default.
                                                                                                                                                            Note: This setting appears in both the Computer Configuration and User
                                                                                                                                                            Configuration folders. If the settings conflict, the setting in Computer
                                                                                                                                                            Configuration takes precedence over the setting in User Configuration.



Computer                     Enumerate administrator       Disabled           (Not Applicable)   CCE-935   HKLM\Software\Microsoft\Windows\Current          By default all administrator accounts are displayed when attempting to elevate
Configuration\Administrative accounts on elevation                                                         Version\Policies\CredUI!EnumerateAdminis         a running application. If you enable this policy, users will be required to
                                                                                                                                                            always type in a username and password to elevate. If you disable this
Templates\Windows                                                                                          trators                                          policy, all local administrator accounts on the machine will be displayed so the
Components\Credential                                                                                                                                       user can choose one and enter the correct password.
User Interface
Computer                     Do not allow Digital Locker   Enabled            (Not Applicable)   CCE-935   HKLM\SOFTWARE\Policies\Microsoft\Win             Specifies whether Digital Locker can run.
Configuration\Administrative to run                                                                        dows\Digital                                     Digital Locker is a dedicated download manager associated with Windows
                                                                                                                                                            Marketplace and a feature of Windows that can be used to manage and
Templates\Windows                                                                                          Locker!DoNotRunDigitalLocker                     download products acquired and stored in the user's Windows Marketplace
Components\Digital Locker                                                                                                                                   Digital Locker. If you enable this setting, Digital Locker will not run.
                                                                                                                                                            If you disable or do not configure this setting, Digital Locker can be run.



Computer                     Maximum Log Size (KB)         Enabled:32768      (Not Applicable)   CCE-185   HKLM\Software\Policies\Microsoft\Window This policy setting controls Event Log behavior when the log file reaches its
Configuration\Administrative                                                                               s\EventLog\Application!MaxSize          maximum size. When this policy setting is enabled and a log file reaches its
                                                                                                                                                            maximum size, new events are not written to the log and are lost.
Templates\Windows                                                                                                                                           When this policy setting is disabled and a log file reaches its maximum size,
Components\Event Log                                                                                                                                        new events overwrite old events.
Service\Application                                                                                                                                         Note: Old events may or may not be retained according to the “Backup log
                                                                                                                                                            automatically when full” policy setting.


Computer                     Maximum Log Size (KB)         Enabled:81920      (Not Applicable)   CCE-757   HKLM\Software\Policies\Microsoft\Window This policy setting controls Event Log behavior when the log file reaches its
Configuration\Administrative                                                                               s\EventLog\Security!MaxSize             maximum size. When this policy setting is enabled and a log file reaches its
                                                                                                                                                            maximum size, new events are not written to the log and are lost.
Templates\Windows                                                                                                                                           When this policy setting is disabled and a log file reaches its maximum size,
Components\Event Log                                                                                                                                        new events overwrite old events.
Service\Security                                                                                                                                            Note: Old events may or may not be retained according to the “Backup log
                                                                                                                                                            automatically when full” policy setting.


Computer                     Maximum Log Size (KB)         Enabled:32768      (Not Applicable)   CCE-262   HKLM\Software\Policies\Microsoft\Window This policy setting controls Event Log behavior when the log file reaches its
Configuration\Administrative                                                                               s\EventLog\Setup!MaxSize                maximum size. When this policy setting is enabled and a log file reaches its
                                                                                                                                                            maximum size, new events are not written to the log and are lost.
Templates\Windows                                                                                                                                           When this policy setting is disabled and a log file reaches its maximum size,
Components\Event Log                                                                                                                                        new events overwrite old events.
Service\Setup                                                                                                                                               Note: Old events may or may not be retained according to the “Backup log
                                                                                                                                                            automatically when full” policy setting.
Computer                     Maximum Log Size (KB)          Enabled:32768    (Not Applicable)   CCE-735   HKLM\Software\Policies\Microsoft\Window This policy setting controls Event Log behavior when the log file reaches its
Configuration\Administrative                                                                              s\EventLog\System!MaxSize               maximum size. When this policy setting is enabled and a log file reaches its
                                                                                                                                                           maximum size, new events are not written to the log and are lost.
Templates\Windows                                                                                                                                          When this policy setting is disabled and a log file reaches its maximum size,
Components\Event Log                                                                                                                                       new events overwrite old events.
Service\System                                                                                                                                             Note: Old events may or may not be retained according to the “Backup log
                                                                                                                                                           automatically when full” policy setting.


Computer                     Turn off downloading of        Enabled          (Not Applicable)   CCE-935   HKLM\Software\Policies\Microsoft\Window Manages download of game box art and ratings from the Windows Metadata
Configuration\Administrative game information                                                             s\GameUX!DownloadGameInfo               Services. If you enable this setting, game information including box art and
                                                                                                                                                           ratings will not be downloaded. If you disable or do not configure this setting,
Templates\Windows                                                                                                                                          game information will be downloaded from Windows Metadata Services.
Components\Game Explorer

Computer                     Disable "Configuring History" Enabled:40 days   Enabled, 40 days   CCE-66    HKLM\Software\Policies\Microsoft\Internet        This setting specifies the number of days that Internet Explorer keeps track of
Configuration\Administrative                                                                              Explorer\Control Panel!History,                  the pages viewed in the History List. The delete Browsing History option can
                                                                                                                                                           be accessed using Tools, Internet Options and General tab. It is also
Templates\Windows                                                                                         HKLM\Software\Policies\Microsoft\Window          available as Delete History directly under tools, Internet options, Delete
Components\Internet                                                                                       s\CurrentVersion\Internet Settings\Url           Browsing History in Internet Explorer 7. If you enable this policy setting, a
Explorer                                                                                                  History!DaysToKeep                               user cannot set the number of days that Internet Explorer keeps track of the
                                                                                                                                                           pages viewed in the History List. You must specify the number of days that
                                                                                                                                                           Internet Explorer keeps track of the pages viewed in the History List. Users
                                                                                                                                                           will not be able to delete browsing history. If you disable or do not configure
                                                                                                                                                           this policy setting, a user can set the number of days that Internet Explorer
                                                                                                                                                           keeps track of the pages viewed in the History List and has the freedom to
                                                                                                                                                           Delete Browsing History.


Computer                     Disable Automatic Install of   Enabled          Enabled            CCE-684   HKLM\Software\Policies\Microsoft\Internet        This Disable Automatic Install of Internet Explorer components setting
Configuration\Administrative Internet Explorer                                                            Explorer\Infodelivery\Restrictions!NoJITSet      prevents Internet Explorer from automatically installing components. Enabling
                                                                                                                                                           this setting prevents Internet Explorer from downloading a component when
Templates\Windows            components                                                                   up                                               users browse to a Web site that needs that component to function fully.
Components\Internet                                                                                                                                        Setting Disable Automatic Install of Internet Explorer components to Disable
Explorer                                                                                                                                                   or Not Configured will cause users to be prompted to download and install
                                                                                                                                                           components each time they visit a Web site that uses them. This policy is
                                                                                                                                                           intended to help the administrator control which components the user may
                                                                                                                                                           install. Before enabling this policy, Microsoft recommends setting up an
                                                                                                                                                           alternative strategy for updating Internet Explorer using Software Update
                                                                                                                                                           Service or a similar product.


Computer                     Disable changing Automatic Enabled              Enabled            CCE-471   HKLM\Software\Policies\Microsoft\Internet        This setting specifies to automatically detect the proxy server settings used to
Configuration\Administrative Configuration settings                                                       Explorer\Control Panel!Autoconfig                connect to the Internet and customize Internet Explorer. This setting specifies
                                                                                                                                                           that Internet explorer use the configuration settings provided in a file by the
Templates\Windows                                                                                                                                          system administrator. If you enable this policy setting, the user will not be
Components\Internet                                                                                                                                        able to do automatic configuration. You can import your current connection
Explorer                                                                                                                                                   settings from your machine using Internet Explorer Maintenance under Admin
                                                                                                                                                           Templates using group policy editor. If you disable or do no configure this
                                                                                                                                                           policy setting, the user will have the freedom to automatically configure these
                                                                                                                                                           settings.
Computer                     Disable Periodic Check for   Enabled    Enabled    CCE-212   HKLM\Software\Policies\Microsoft\Internet        The Disable Periodic Check for Internet Explorer software updates setting
Configuration\Administrative Internet Explorer software                                   Explorer\Infodelivery\Restrictions!NoUpdate      prevents Internet Explorer from more frequently checking whether a new
                                                                                                                                           browser update is available. Enabling this policy prevents Internet Explorer
Templates\Windows            updates                                                      Check                                            from determining whether a new browser update is available, and then
Components\Internet                                                                                                                        notifying users. Setting Disable Periodic Check for Internet Explorer software
Explorer                                                                                                                                   updates to Disabled or Not Configured causes Internet Explorer to check for
                                                                                                                                           browser updates every 30 days by default, and then notify the user when new
                                                                                                                                           ones are available. This policy is intended to help administrators maintain
                                                                                                                                           version control of Internet Explorer by not notifying users when new updates
                                                                                                                                           or versions of the browser are available. Before enabling this policy, Microsoft
                                                                                                                                           recommends setting up an alternative strategy for the administrators in your
                                                                                                                                           organization to ensure they periodically accept new Internet Explorer updates.




Computer                     Disable showing the splash   Enabled    Enabled    CCE-556   HKLM\Software\Policies\Microsoft\Internet The Disable showing the splash screen setting prevents the Internet Explorer
Configuration\Administrative screen                                                       Explorer\Infodelivery\Restrictions!NoSplash splash screen from appearing when users start the browser. Enabling this
                                                                                                                                           policy causes the splash screen, which normally displays the program name,
Templates\Windows                                                                                                                          licensing, and copyright information, to not display. Setting Disable showing
Components\Internet                                                                                                                        the splash screen to Disable or Not Configured allows the splash screen to
Explorer                                                                                                                                   display when users start the browser.


Computer                     Disable software update      Enabled    Enabled    CCE-622   HKLM\Software\Microsoft\Windows\Current          The Disable software update shell notifications on program launch setting
Configuration\Administrative shell notifications on                                       Version\Policies\Explorer!NoMSAppLogo5           specifies that programs using the Microsoft Software Distribution Channel will
                                                                                                                                           not notify users when they install new components. The Software Distribution
Templates\Windows            program launch                                               ChannelNotify                                    Channel is a means of updating software dynamically on user computers
Components\Internet                                                                                                                        based on Open Software Distribution (.osd) technologies. Enabling this policy
Explorer                                                                                                                                   prevents users from being notified when their programs are updated using
                                                                                                                                           Software Distribution Channels. Setting Disable software update shell
                                                                                                                                           notifications on program launch setting to Disable or Not Configured will allow
                                                                                                                                           program update notifications to be sent to users. Enabling this setting allows
                                                                                                                                           administrators to use Software Distribution Channels to update programs on
                                                                                                                                           the workstations in your environment without user intervention.




Computer                     Do not allow users to enable Disabled   Disabled   CCE-708   HKLM\Software\Policies\Microsoft\Internet        The Do not allow users to enable or disable add-ons policy setting allows you
Configuration\Administrative or disable add-ons                                           Explorer\Restrictions!NoExtensionManage          to manage whether users have the ability to allow or deny add-ons through
                                                                                                                                           Manage Add-ons. If you configure this policy setting to Enabled, users cannot
Templates\Windows                                                                         ment                                             enable or disable add-ons through Manage Add-ons. The only exception is if
Components\Internet                                                                                                                        an add-on has been specifically entered into the Add-On List policy setting in
Explorer                                                                                                                                   a way that allows users to continue to manage the add-on. In such a case,
                                                                                                                                           the user can still manage the add-on through Manage Add-ons. If you
                                                                                                                                           configure this policy setting to Disabled, the user will be able to enable or
                                                                                                                                           disable add-ons. Note: For more information on managing Internet Explorer
                                                                                                                                           add-ons in Windows XP SP2, see KB article 883256, "How to manage
                                                                                                                                           Internet Explorer add-ons in Windows XP Service Pack 2" at
                                                                                                                                           http://support.microsoft.com/?kbid=883256.


Computer                     Make proxy settings per-     Disabled   Disabled   CCE-693   HKLM\Software\Policies\Microsoft\Window          The Make proxy settings per – machine (rather than per-user) setting ensures
Configuration\Administrative machine (rather than per-                                    s\CurrentVersion\Internet                        proxy settings for all users of the same computer are the same. Enabling this
                                                                                                                                           setting prevents users from setting user – specific proxy settings, and
Templates\Windows            user)                                                        Settings!ProxySettingsPerUser                    requires them to use the zones created for all users of the computer. Setting
Components\Internet                                                                                                                        Make proxy settings per – machine (rather than per-user) to Disabled or Not
Explorer                                                                                                                                   Configured allows users of the same computer to establish their own proxy
                                                                                                                                           settings. When this setting is enabled, it ensures that proxy settings do not
                                                                                                                                           vary from user to user of the same computer, and prohibits a user from
                                                                                                                                           circumventing Internet security policies configured on your proxy servers.
                                                                                                                                           Microsoft recommends enabling this setting for Desktop clients only in both
                                                                                                                                           environments defined in this guide since Laptop computer users may have to
                                                                                                                                           change their proxy settings as they travel.
Computer                     Prevent participation in the   Enabled          Enabled            CCE-495    HKLM\Software\Policies\Microsoft\Internet   The Security Zones: Do not allow users to add/delete sites setting prevents
Configuration\Administrative Customer Experience                                                           Explorer\SQM!DisableCustomerImproveme       users from adding or removing sites from security zones. A security zone is a
                                                                                                                                                       group of Web sites with the same security level. Enabling this policy causes
Templates\Windows            Improvement Program                                                           ntProgram                                   the site management settings for security zones not to work. To view the site
Components\Internet                                                                                                                                    management settings for security zones (1)In the Internet Options dialog box,
Explorer                                                                                                                                               click the Security tab. (2)Click the Sites button. Setting Security Zones: Do not
                                                                                                                                                       allow users to add/delete sites to Disable or Not Configured allows users to
                                                                                                                                                       add or remove Web sites from the zones for Trusted Sites and Restricted
                                                                                                                                                       Sites, and alter settings for the Local Intranet zone. This policy prevents users
                                                                                                                                                       from changing site management settings for security zones established by the
                                                                                                                                                       administrator. Note: Enabling the Disable the Security page setting (located in
                                                                                                                                                       \User Configuration\Administrative Templates\Windows Components\Internet
                                                                                                                                                       Explorer\Internet Control Panel), which removes the Security tab from the
                                                                                                                                                       interface, causes it to take precedence over the Security Zones: Do not allow
                                                                                                                                                       users to add/delete sites setting.



Computer                     Prevent performance of First Enabled: Go        Enabled: Go        CCE-1006   HKLM\Software\Policies\Microsoft\Internet   This policy setting prevents performance of the First Run Customize settings
Configuration\Administrative Run Customize settings       directly to home   directly to home              Explorer\Main!DisableFirstRunCustomize      ability and controls what the user will see when they launch Internet Explorer
                                                                                                                                                       for the first time after installation of Internet Explorer.
Templates\Windows                                         page               page                                                                      If you enable this policy setting, users must make one of two choices:
Components\Internet                                                                                                                                    1: Skip Customize Settings, and go directly to the user’s home page.
Explorer                                                                                                                                               2: Skip Customize Settings, and go directly to the "Welcome to Internet
                                                                                                                                                       Explorer" Web page.
                                                                                                                                                       If you disable or do not configure this policy setting, users go through the
                                                                                                                                                       regular first run process.

Computer                     Security Zones: Do not allow Enabled            Enabled            CCE-146    HKLM\Software\Policies\Microsoft\Window     The Security Zones: Do not allow users to add/delete sites setting prevents
Configuration\Administrative users to add/delete sites                                                     s\CurrentVersion\Internet                   users from adding or removing sites from security zones. A security zone is a
                                                                                                                                                       group of Web sites with the same security level. Enabling this policy causes
Templates\Windows                                                                                          Settings!Security_zones_map_edit            the site management settings for security zones not to work. To view the site
Components\Internet                                                                                                                                    management settings for security zones (1)In the Internet Options dialog box,
Explorer                                                                                                                                               click the Security tab. (2)Click the Sites button. Setting Security Zones: Do not
                                                                                                                                                       allow users to add/delete sites to Disable or Not Configured allows users to
                                                                                                                                                       add or remove Web sites from the zones for Trusted Sites and Restricted
                                                                                                                                                       Sites, and alter settings for the Local Intranet zone. This policy prevents users
                                                                                                                                                       from changing site management settings for security zones established by the
                                                                                                                                                       administrator. Note: Enabling the Disable the Security page setting (located in
                                                                                                                                                       \User Configuration\Administrative Templates\Windows Components\Internet
                                                                                                                                                       Explorer\Internet Control Panel), which removes the Security tab from the
                                                                                                                                                       interface, causes itto take precedence over the Security Zones: Do not allow
                                                                                                                                                       users to add/delete sites setting.



Computer                     Security Zones: Do not allow Enabled            Enabled            CCE-833    HKLM\Software\Policies\Microsoft\Window     The Security Zones: Do not allow users to change policies setting prevents
Configuration\Administrative users to change policies                                                      s\CurrentVersion\Internet                   users from changing security zone settings. A security zone is a group of
                                                                                                                                                       Web sites with the same security level. Enabling this setting disables the
Templates\Windows                                                                                          Settings!Security_options_edit              Custom Level button and the security – level slider on the Security tab in the
Components\Internet                                                                                                                                    Internet Options dialog box. Setting Security Zones: Do not allow users to
Explorer                                                                                                                                               change policies to Disabled or Not Configured allows users to change
                                                                                                                                                       security zone settings. This setting prevents users from changing security
                                                                                                                                                       zone settings established by the administrator. Note: Enabling the Disable the
                                                                                                                                                       Security page setting (located in \User Configuration\Administrative
                                                                                                                                                       Templates\Windows Components\Internet Explorer\Internet Control Panel),
                                                                                                                                                       which removes the Security tab from Internet Explorer in the Control Panel,
                                                                                                                                                       causes it to take precedence over the Security Zones: Do not allow users to
                                                                                                                                                       change policies setting.
Computer                     Security Zones: Use only         Enabled          Enabled          CCE-5      HKLM\Software\Policies\Microsoft\Window      Applies security zone information to all users of the same computer. A
Configuration\Administrative machine settings                                                              s\CurrentVersion\Internet                    security zone is a group of Web sites with the same security level.
                                                                                                                                                        If you enable this policy, changes that the user makes to a security zone will
Templates\Windows                                                                                          Settings!Security_HKLM_only                  apply to all users of that computer. If you disable this policy or do not
Components\Internet                                                                                                                                     configure it, users of the same computer can establish their own security
Explorer                                                                                                                                                zone settings. This policy is intended to ensure that security zone settings
                                                                                                                                                        apply uniformly to the same computer and do not vary from user to user.
                                                                                                                                                        Also, see the "Security zones: Do not allow users to change policies" policy.



Computer                     Turn off "Delete Browsing        Not Configured   Not Configured   CCE-1010   HKLM\Software\Policies\Microsoft\Internet    This policy setting prevents users from performing the "Delete Browsing
Configuration\Administrative History" functionality                                                        Explorer\Control                             History" action in Internet Explorer. If you enable this policy setting, users
                                                                                                                                                        cannot perform the "Delete Browsing History" action in Internet Options for
Templates\Windows                                                                                          Panel!DisableDeleteBrowsingHistory           Internet Explorer 7. If you disable or do not configure this policy setting, users
Components\Internet                                                                                                                                     can perform the "Delete Browsing History" action in Internet Options for
Explorer                                                                                                                                                Internet Explorer 7.
Computer                     Turn off Crash Detection         Enabled          Enabled          CCE-753    HKLM\Software\Policies\Microsoft\Internet    The Turn off Crash Detection policy setting allows you to manage the crash
Configuration\Administrative                                                                               Explorer\Restrictions!NoCrashDetection       detection feature of add-on management in Internet Explorer. If you enable
                                                                                                                                                        this policy setting, a crash in Internet Explorer will be similar to one on a
Templates\Windows                                                                                                                                       computer running Windows XP Professional Service Pack 1 and earlier:
Components\Internet                                                                                                                                     Windows Error Reporting will be invoked. If you disable this policy setting, the
Explorer                                                                                                                                                crash detection feature in add-on management will be functional. Because
                                                                                                                                                        Internet Explorer crash report information could contain sensitive information
                                                                                                                                                        from the computer's memory, this appendix recommends you configure this
                                                                                                                                                        option to Enabled unless you are experiencing frequent repeated crashes and
                                                                                                                                                        need to report them for follow-up troubleshooting. In those cases you could
                                                                                                                                                        temporarily configure the setting to Disabled.


Computer                     Turn off Managing Phishing       Enabled:Off      Enabled (Off)    CCE-1032   HKLM\Software\Policies\Microsoft\Internet    This policy setting allows the user to enable a phishing filter that will warn if
Configuration\Administrative filter                                                                        Explorer\PhishingFilter!Enabled              the Web site being visited is known for fraudulent attempts to gather personal
                                                                                                                                                        information through "phishing." If you enable this policy setting, the user will
Templates\Windows                                                                                                                                       not be prompted to enable the phishing filter. You must specify which mode
Components\Internet                                                                                                                                     the phishing filter uses: manual, automatic, or off. If you select manual mode,
Explorer                                                                                                                                                the phishing filter performs only local analysis and users are prompted to
                                                                                                                                                        permit any data to be sent to Microsoft. If the feature is fully enabled, all
                                                                                                                                                        website addresses not contained on the filter's whitelist will be sent
                                                                                                                                                        automatically to Microsoft without prompting the user. If you disable or do not
                                                                                                                                                        configure this policy setting, the user will be prompted to decide the mode of
                                                                                                                                                        operation for the phishing filter.


Computer                     Turn off the Security            Disabled         Disabled         CCE-1054   HKLM\Software\Policies\Microsoft\Internet    This policy setting turns off the Security Settings Check feature, which checks
Configuration\Administrative Settings Check feature                                                        Explorer\Security!DisableSecuritySettingsC   Internet Explorer security settings to determine when the settings put Internet
                                                                                                                                                        Explorer at risk. If you enable this policy setting, the security settings check
Templates\Windows                                                                                          heck                                         will not be performed. If you disable or do not configure this policy setting, the
Components\Internet                                                                                                                                     security settings check will be performed.
Explorer
Computer                       Prevent ignoring certificate   Not Configured   Not Configured   CCE-938    HKLM\Software\Policies\Microsoft\Window      Internet Explorer treats as fatal any Secure Socket Layer/Transport Layer
Configuration\Administrative   errors                                                                      s\CurrentVersion\Internet                    Security (SSL/TLS) certificate errors that interrupt navigation (such as
                                                                                                                                                        "expired," "revoked," or "name mismatch" errors). If you enable this policy
Templates\Windows                                                                                          Settings!PreventIgnoreCertErrors             setting, the user is not permitted to continue navigation. If you disable this
Components\Internet                                                                                                                                     policy setting or do not configure it, the user may elect to ignore certificate
Explorer\Internet Control                                                                                                                               errors and continue navigation.
Panel
Computer                       Allow active content from      Disabled         Disabled         CCE-964    HKLM\Software\Policies\Microsoft\Internet    This policy setting allows you to manage whether users receive a dialog
Configuration\Administrative   CDs to run on user                                                          Explorer\Main\FeatureControl\FEATURE_L       requesting permission for active content on a CD to run. If you enable this
                                                                                                                                                        policy setting, active content on a CD will run without a prompt.
Templates\Windows              machines                                                                    OCALMACHINE_LOCKDOWN\Settings!L              If you disable this policy setting, active content on a CD will always prompt
Components\Internet                                                                                        OCALMACHINE_CD_UNLOCK                        before running. If you do not configure this policy, users can choose whether
Explorer\Internet Control                                                                                                                               to be prompted before running active content on a CD.
Panel\Advanced Page
Computer                     Allow Install On Demand          Not Configured   Not Configured   CCE-69     HKLM\Software\Policies\Microsoft\Internet   This policy setting allows you to manage whether users can automatically
Configuration\Administrative (Internet Explorer)                                                           Explorer\Main!NoJITSetup                    download and install Web components (such as fonts) that can installed by
                                                                                                                                                       Internet Explorer Active Setup. For example, if you open a Web page that
Templates\Windows                                                                                                                                      requires Japanese-text display support, Internet Explorer could prompt the
Components\Internet                                                                                                                                    user to download the Japanese Language Pack component if it is not already
Explorer\Internet Control                                                                                                                              installed. If you enable this policy setting, Web components such as fonts will
Panel\Advanced Page                                                                                                                                    be automatically installed as necessary. If you disable this policy setting,
                                                                                                                                                       users will be prompted when Web Components such as fonts would be
                                                                                                                                                       downloaded. If you do not configure this policy, users will be prompted when
                                                                                                                                                       Web Components such as fonts would be downloaded.



Computer                       Allow software to run or         Disabled       Disabled         CCE-449    HKLM\Software\Policies\Microsoft\Internet   Microsoft ActiveX controls and file downloads often have digital signatures
Configuration\Administrative   install even if the signature is                                            Explorer\Download!RunInvalidSignatures      attached that vouch for both the file's integrity and the identity of the signer
                                                                                                                                                       (creator) of the software. Such signatures help ensure that unmodified.
Templates\Windows              invalid
Components\Internet
Explorer\Internet Control
Panel\Advanced Page
Computer                       Allow third-party browser      Disabled         Disabled         CCE-598    HKLM\Software\Policies\Microsoft\Internet   This policy setting allows you to manage whether Internet Explorer will launch
Configuration\Administrative   extensions                                                                  Explorer\Main!Enable Browser Extensions     COM add-ons known as browser helper objects, such as toolbars. Browser
                                                                                                                                                       helper objects may contain flaws such as buffer overruns which impact
Templates\Windows                                                                                                                                      Internet Explorer's performance or stability. If you enable this policy setting,
Components\Internet                                                                                                                                    Internet Explorer automatically launches any browser helper objects that are
Explorer\Internet Control                                                                                                                              installed on the user's computer. If you disable this policy setting, browser
Panel\Advanced Page                                                                                                                                    helper objects do not launch. If you do not configure this policy, Internet
                                                                                                                                                       Explorer automatically launches any browser helper objects that are installed
                                                                                                                                                       on the user's computer.


Computer                     Automatically check for          Disabled         Disabled         CCE-1008   HKLM\Software\Policies\Microsoft\Internet   This policy setting allows you to manage whether Internet Explorer checks the
Configuration\Administrative Internet Explorer updates                                                     Explorer\Main!NoUpdateCheck                 Internet for newer versions. When Internet Explorer is set to do this, the
                                                                                                                                                       checks occur approximately every 30 days, and users are prompted to install
Templates\Windows                                                                                                                                      new versions as they become available. If you enable this policy setting,
Components\Internet                                                                                                                                    Internet Explorer checks the Internet for a new version approximately every
Explorer\Internet Control                                                                                                                              30 days and prompts the user to download new versions when they are
Panel\Advanced Page                                                                                                                                    available. If you disable this policy setting, Internet Explorer does not check
                                                                                                                                                       the Internet for new versions of the browser, so does not prompt users to
                                                                                                                                                       install them. If you do not configure this policy setting, Internet Explorer does
                                                                                                                                                       not check the Internet for new versions of the browser, so does not prompt
                                                                                                                                                       users to install them.


Computer                     Check for server certificate     Enabled          Enabled          CCE-690    HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage whether Internet Explorer will check
Configuration\Administrative revocation                                                                    s\CurrentVersion\Internet                   revocation status of servers' certificates. Certificates are revoked when they
                                                                                                                                                       have been compromised or are no longer valid, and this option protects users
Templates\Windows                                                                                          Settings!CertificateRevocation              from submitting confidential data to a site that may be fraudulent or not
Components\Internet                                                                                                                                    secure. If you enable this policy setting, Internet Explorer will check to see if
Explorer\Internet Control                                                                                                                              server certificates have been revoked. If you disable this policy setting,
Panel\Advanced Page                                                                                                                                    Internet Explorer will not check server certificates to see if they have been
                                                                                                                                                       revoked. If you do not configure this policy setting, Internet Explorer will not
                                                                                                                                                       check server certificates to see if they have been revoked.
Computer                     Check for signatures on         Enabled           Enabled           CCE-1025   HKLM\Software\Policies\Microsoft\Internet   This policy setting allows you to manage whether Internet Explorer checks for
Configuration\Administrative downloaded programs                                                            Explorer\Download!CheckExeSignatures        digital signatures (which identifies the publisher of signed software and
                                                                                                                                                        verifies it hasn't been modified or tampered with) on user computers before
Templates\Windows                                                                                                                                       downloading executable programs. If you enable this policy setting, Internet
Components\Internet                                                                                                                                     Explorer will check the digital signatures of executable programs and display
Explorer\Internet Control                                                                                                                               their identities before downloading them to user computers.
Panel\Advanced Page                                                                                                                                     If you disable this policy setting, Internet Explorer will not check the digital
                                                                                                                                                        signatures of executable programs or display their identities before
                                                                                                                                                        downloading them to user computers. If you do not configure this policy,
                                                                                                                                                        Internet Explorer will not check the digital signatures of executable programs
                                                                                                                                                        or display their identities before downloading them to user computers.




Computer                       Do not allow resetting        Not Configured    Not Configured    CCE-42     HKLM\Software\Policies\Microsoft\Internet   This policy setting prevents users from using the Reset Internet Explorer
Configuration\Administrative   Internet Explorer settings                                                   Explorer\Control Panel!DisableRIED          Settings feature. Reset Internet Explorer Settings will allow the users to reset
                                                                                                                                                        all settings changed since install, delete browsing history and disable add-ons
Templates\Windows                                                                                                                                       that are not preapproved. If you enable this policy setting, users will not be
Components\Internet                                                                                                                                     able to use Reset Internet Explorer Settings. If you disable or do not
Explorer\Internet Control                                                                                                                               configure this policy setting, users will be able to use Reset Internet Explorer
Panel\Advanced Page                                                                                                                                     Settings.

Computer                       Intranet Sites: Include all   Disabled          Disabled          CCE-876    HKLM\Software\Policies\Microsoft\Window     This policy setting controls whether URLs representing UNCs are mapped
Configuration\Administrative   network paths (UNCs)                                                         s\CurrentVersion\Internet                   into the local Intranet security zone. If you enable this policy setting, all
                                                                                                                                                        network paths are mapped into the Intranet Zone. If you disable this policy
Templates\Windows                                                                                           Settings\ZoneMap!UNCAsIntranet              setting, network paths are not necessarily mapped into the Intranet Zone
Components\Internet                                                                                                                                     (other rules might map one there). If you do not configure this policy setting,
Explorer\Internet Control                                                                                                                               users choose whether network paths are mapped into the Intranet Zone.
Panel\Security Page

Computer                     Access data sources across Enabled:Disable        Enabled:Disable   CCE-47     HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage whether Internet Explorer can
Configuration\Administrative domains                                                                        s\CurrentVersion\Internet                   access data from another security zone using the Microsoft XML Parser
                                                                                                                                                        (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting,
Templates\Windows                                                                                           Settings\Zones\3!1406                       users can load a page in the zone that uses MSXML or ADO to access data
Components\Internet                                                                                                                                     from another site in the zone. If you select Prompt in the drop-down box,
Explorer\Internet Control                                                                                                                               users are queried to choose whether to allow a page to be loaded in the zone
Panel\Security Page\Internet                                                                                                                            that uses MSXML or ADO to access data from another site in the zone. If
Zone                                                                                                                                                    you disable this policy setting, users cannot load a page in the zone that uses
                                                                                                                                                        MSXML or ADO to access data from another site in the zone. If you do not
                                                                                                                                                        configure this policy setting, users cannot load a page in the zone that uses
                                                                                                                                                        MSXML or ADO to access data from another site in the zone.


Computer                     Allow cut, copy or paste        Enabled:Disable   Enabled:Disable   CCE-49     HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage whether scripts can perform a
Configuration\Administrative operations from the                                                            s\CurrentVersion\Internet                   clipboard operation (for example, cut, copy, and paste) in a specified region.
                                                                                                                                                        If you enable this policy setting, a script can perform a clipboard operation.
Templates\Windows            clipboard via script                                                           Settings\Zones\3!1407                       If you select Prompt in the drop-down box, users are queried as to whether to
Components\Internet                                                                                                                                     perform clipboard operations. If you disable this policy setting, a script cannot
Explorer\Internet Control                                                                                                                               perform a clipboard operation. If you do not configure this policy setting, a
Panel\Security Page\Internet                                                                                                                            script can perform a clipboard operation.
Zone


Computer                     Allow drag and drop or copy Enabled:Disable       Enabled:Disable   CCE-685    HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage whether users can drag files or copy
Configuration\Administrative and paste files                                                                s\CurrentVersion\Internet                   and paste files from a source within the zone. If you enable this policy setting,
                                                                                                                                                        users can drag files or copy and paste files from this zone automatically. If
Templates\Windows                                                                                           Settings\Zones\3!1802                       you select Prompt in the drop-down box, users are queried to choose whether
Components\Internet                                                                                                                                     to drag or copy files from this zone. If you disable this policy setting, users
Explorer\Internet Control                                                                                                                               are prevented from dragging files or copying and pasting files from this zone.
Panel\Security Page\Internet                                                                                                                            If you do not configure this policy setting, users can drag files or copy and
Zone                                                                                                                                                    paste files from this zone automatically.
Computer                     Allow font downloads          Enabled:Disable      Enabled:Disable    CCE-491   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether pages of the zone may
Configuration\Administrative                                                                                 s\CurrentVersion\Internet                 download HTML fonts. If you enable this policy setting, HTML fonts can be
                                                                                                                                                       downloaded automatically. If you enable this policy setting and Prompt is
Templates\Windows                                                                                            Settings\Zones\3!1604                     selected in the drop-down box, users are queried whether to allow HTML
Components\Internet                                                                                                                                    fonts to download. If you disable this policy setting, HTML fonts are
Explorer\Internet Control                                                                                                                              prevented from downloading. If you do not configure this policy setting, HTML
Panel\Security Page\Internet                                                                                                                           fonts can be downloaded automatically.
Zone
Computer                     Allow installation of desktop Enabled:Disable      Enabled:Disable    CCE-355   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can install Active
Configuration\Administrative items                                                                           s\CurrentVersion\Internet                 Desktop items from this zone. The settings for this option are: If you enable
                                                                                                                                                       this policy setting, users can install desktop items from this zone
Templates\Windows                                                                                            Settings\Zones\3!1800                     automatically. If you select Prompt in the drop-down box, users are queried
Components\Internet                                                                                                                                    to choose whether to install desktop items from this zone. If you disable this
Explorer\Internet Control                                                                                                                              policy setting, users are prevented from installing desktop items from this
Panel\Security Page\Internet                                                                                                                           zone. If you do not configure this policy setting, users are queried to choose
Zone                                                                                                                                                   whether to install desktop items from this zone.


Computer                     Allow script-initiated           Enabled:Disable   Enabled:Disable    CCE-280   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage restrictions on script-initiated pop-up
Configuration\Administrative windows without size or                                                         s\CurrentVersion\Internet                 windows and windows that include the title and status bars.
                                                                                                                                                       If you enable this policy setting, Windows Restrictions security will not apply in
Templates\Windows            position constraints                                                            Settings\Zones\3!2102                     this zone. The security zone runs without the added layer of security provided
Components\Internet                                                                                                                                    by this feature. If you disable this policy setting, the possible harmful actions
Explorer\Internet Control                                                                                                                              contained in script-initiated pop-up windows and windows that include the title
Panel\Security Page\Internet                                                                                                                           and status bars cannot be run. This Internet Explorer security feature will be
Zone                                                                                                                                                   on in this zone as dictated by the Scripted Windows Security Restrictions
                                                                                                                                                       feature control setting for the process. If you do not configure this policy
                                                                                                                                                       setting, the possible harmful actions contained in script-initiated pop-up
                                                                                                                                                       windows and windows that include the title and status bars cannot be run.
                                                                                                                                                       This Internet Explorer security feature will be on in this zone as dictated by
                                                                                                                                                       the Scripted Windows Security Restrictions feature control setting for the
                                                                                                                                                       process.


Computer                       Allow Scriptlets               Enabled:Disable   Enabled: Disable   CCE-439   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether scriptlets can be allowed.
Configuration\Administrative                                                                                 s\CurrentVersion\Internet                 If you enable this policy setting, users will be able to run scriptlets.
                                                                                                                                                       If you disable this policy setting, users will not be able to run scriptlets.
Templates\Windows                                                                                            Settings\Zones\3!1209                     If you do not configure this policy setting, a scriptlet can be enabled or
Components\Internet                                                                                                                                    disabled by the user.
Explorer\Internet Control
Panel\Security Page\Internet
Zone
Computer                       Allow status bar updates via Not Configured      Not Configured     CCE-914   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether script is allowed to update
Configuration\Administrative   script                                                                        s\CurrentVersion\Internet                 the status bar within the zone. If you enable this policy setting, script is
                                                                                                                                                       allowed to update the status bar. If you disable this policy setting, script is not
Templates\Windows                                                                                            Settings\Zones\3!2103                     allowed to update the status bar. If you do not configure this policy setting,
Components\Internet                                                                                                                                    status bar updates via scripts will be disabled.
Explorer\Internet Control
Panel\Security Page\Internet
Zone
Computer                       Automatic prompting for file   Enabled:Enable    Enabled:Enable     CCE-16    HKLM\Software\Policies\Microsoft\Window   This policy setting determines whether users will be prompted for non user-
Configuration\Administrative   downloads                                                                     s\CurrentVersion\Internet                 initiated file downloads. Regardless of this setting, users will receive file
                                                                                                                                                       download dialogs for user-initiated downloads. If you enable this setting,
Templates\Windows                                                                                            Settings\Zones\3!2200                     users will receive a file download dialog for automatic download attempts.
Components\Internet                                                                                                                                    If you disable or do not configure this setting, file downloads that are not user-
Explorer\Internet Control                                                                                                                              initiated will be blocked, and users will see the Information Bar instead of the
Panel\Security Page\Internet                                                                                                                           file download dialog. Users can then click the Information Bar to allow the file
Zone                                                                                                                                                   download prompt.
Computer                     Download signed ActiveX      Enabled:Disable    Enabled:Disable   CCE-1013   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users may download signed
Configuration\Administrative controls                                                                     s\CurrentVersion\Internet                 ActiveX controls from a page in the zone. If you enable this policy, users can
                                                                                                                                                    download signed controls without user intervention. If you select Prompt in
Templates\Windows                                                                                         Settings\Zones\3!1001                     the drop-down box, users are queried whether to download controls signed
Components\Internet                                                                                                                                 by publishers who aren't trusted. Code signed by trusted publishers is silently
Explorer\Internet Control                                                                                                                           downloaded. If you disable the policy setting, signed controls cannot be
Panel\Security Page\Internet                                                                                                                        downloaded. If you do not configure this policy setting, users are queried
Zone                                                                                                                                                whether to download controls signed by publishers who aren't trusted. Code
                                                                                                                                                    signed by trusted publishers is silently downloaded.



Computer                     Download unsigned ActiveX Enabled:Disable       Enabled:Disable   CCE-176    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users may download
Configuration\Administrative controls                                                                     s\CurrentVersion\Internet                 unsigned ActiveX controls from the zone. Such code is potentially harmful,
                                                                                                                                                    especially when coming from an untrusted zone. If you enable this policy
Templates\Windows                                                                                         Settings\Zones\3!1004                     setting, users can run unsigned controls without user intervention. If you
Components\Internet                                                                                                                                 select Prompt in the drop-down box, users are queried to choose whether to
Explorer\Internet Control                                                                                                                           allow the unsigned control to run. If you disable this policy setting, users
Panel\Security Page\Internet                                                                                                                        cannot run unsigned controls. If you do not configure this policy setting,
Zone                                                                                                                                                users cannot run unsigned controls.


Computer                     Initialize and script ActiveX Enabled:Disable   Enabled:Disable   CCE-586    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage ActiveX controls not marked as safe.
Configuration\Administrative controls not marked as safe                                                  s\CurrentVersion\Internet                 If you enable this policy setting, ActiveX controls are run, loaded with
                                                                                                                                                    parameters, and scripted without setting object safety for untrusted data or
Templates\Windows                                                                                         Settings\Zones\3!1201                     scripts. This setting is not recommended, except for secure and administered
Components\Internet                                                                                                                                 zones. This setting causes both unsafe and safe controls to be initialized and
Explorer\Internet Control                                                                                                                           scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Panel\Security Page\Internet                                                                                                                        If you enable this policy setting and select Prompt in the drop-down box,
Zone                                                                                                                                                users are queried whether to allow the control to be loaded with parameters
                                                                                                                                                    or scripted. If you disable this policy setting, ActiveX controls that cannot be
                                                                                                                                                    made safe are not loaded with parameters or scripted. If you do not configure
                                                                                                                                                    this policy setting, ActiveX controls that cannot be made safe are not loaded
                                                                                                                                                    with parameters or scripted.




Computer                     Java permissions             Enabled:Disable    Enabled:Disable   CCE-132    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                              Java               Java                         s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                    box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                         Settings\Zones\3!1C00                     applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                 their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                           calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Internet                                                                                                                        the client computer) and user-controlled file I/O. High Safety enables applets
Zone                                                                                                                                                to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                    If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                    configure this policy setting, the permission is set to High Safety.
                                                                                                                                                    Note: This only applies to MS Java, not Sun Java.




Computer                     Launching applications and   Enabled:Disable    Enabled:Disable   CCE-689    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether applications may be run and
Configuration\Administrative files in an IFRAME                                                           s\CurrentVersion\Internet                 files may be downloaded from an IFRAME reference in the HTML of the
                                                                                                                                                    pages in this zone. If you enable this policy setting, users can run
Templates\Windows                                                                                         Settings\Zones\3!1804                     applications and download files from IFRAMEs on the pages in this zone
Components\Internet                                                                                                                                 without user intervention. If you select Prompt in the drop-down box, users
Explorer\Internet Control                                                                                                                           are queried to choose whether to run applications and download files from
Panel\Security Page\Internet                                                                                                                        IFRAMEs on the pages in this zone. If you disable this policy setting, users
Zone                                                                                                                                                are prevented from running applications and downloading files from IFRAMEs
                                                                                                                                                    on the pages in this zone. If you do not configure this policy setting, users are
                                                                                                                                                    queried to choose whether to run applications and download files from
                                                                                                                                                    IFRAMEs on the pages in this zone.
Computer                     Logon options               Enabled: Prompt Enabled:Prompt       CCE-720   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage settings for logon options.
Configuration\Administrative                             for             for user and                   s\CurrentVersion\Internet                 If you enable this policy setting, you can choose from the following logon
                                                                                                                                                  options. Anonymous logon to disable HTTP authentication and use the guest
Templates\Windows                                        Username/Passw password                        Settings\Zones\3!1A00                     account only for the Common Internet File System (CIFS) protocol.
Components\Internet                                      ord                                                                                      Prompt for user name and password to query users for user IDs and
Explorer\Internet Control                                                                                                                         passwords. After a user is queried, these values can be used silently for the
Panel\Security Page\Internet                                                                                                                      remainder of the session. Automatic logon only in Intranet zone to query
Zone                                                                                                                                              users for user IDs and passwords in other zones. After a user is queried,
                                                                                                                                                  these values can be used silently for the remainder of the session.
                                                                                                                                                  Automatic logon with current user name and password to attempt logon using
                                                                                                                                                  Windows NT Challenge Response (also known as NTLM authentication). If
                                                                                                                                                  Windows NT Challenge Response is supported by the server, the logon uses
                                                                                                                                                  the user's network user name and password for logon. If Windows NT
                                                                                                                                                  Challenge Response is not supported by the server, the user is queried to
                                                                                                                                                  provide the user name and password. If you disable this policy setting, logon
                                                                                                                                                  is set to Automatic logon only in Intranet zone. If you do not configure this
                                                                                                                                                  policy setting, logon is set to Automatic logon only in Intranet zone.



Computer                     Loose or un-compiled XAML Enabled:Disable      Enabled:Disable   CCE-126   HKLM\Software\Policies\Microsoft\Window   These are eXtensible Application Markup Language (XAML) files. XAML is an
Configuration\Administrative files                                                                      s\CurrentVersion\Internet                 XML-based declarative markup language commonly used for creating rich
                                                                                                                                                  user interfaces and graphics that leverage the Windows Presentation
Templates\Windows                                                                                       Settings\Zones\3!2402                     Foundation. If you enable this policy setting and the dropdown box is set to
Components\Internet                                                                                                                               Enable, .XAML files will be automatically loaded inside Internet Explorer 7.0.
Explorer\Internet Control                                                                                                                         User will not be able to change this behavior. If the dropdown box is set to
Panel\Security Page\Internet                                                                                                                      Prompt, users will receive a prompt for loading .XAML files. If you disable this
Zone                                                                                                                                              policy setting, .XAML files will not be loaded inside Internet Explorer 7. User
                                                                                                                                                  will not be able to change this behavior. If you do not configure this policy
                                                                                                                                                  setting, users will have the freedom to decide whether to load XAML files
                                                                                                                                                  inside Internet Explorer 7.0.


Computer                     Navigate sub-frames across Disabled            Disabled          CCE-245   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage the opening of sub-frames and
Configuration\Administrative different domains                                                          s\CurrentVersion\Internet                 access of applications across different domains. If you enable this policy
                                                                                                                                                  setting, users can open sub-frames from other domains and access
Templates\Windows                                                                                       Settings\Zones\3!1607                     applications from other domains. If you select Prompt in the drop-down box,
Components\Internet                                                                                                                               users are queried whether to allow sub-frames or access to applications from
Explorer\Internet Control                                                                                                                         other domains. If you disable this policy setting, users cannot open sub-
Panel\Security Page\Internet                                                                                                                      frames or access applications from different domains. If you do not configure
Zone                                                                                                                                              this policy setting, users can open sub-frames from other domains and
                                                                                                                                                  access applications from other domains.


Computer                     Open files based on content, Enabled:Disable   Enabled:Disable   CCE-910   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage MIME sniffing for file promotion from
Configuration\Administrative not file extension                                                         s\CurrentVersion\Internet                 one type to another based on a MIME sniff. A MIME sniff is the recognition by
                                                                                                                                                  Internet Explorer of the file type based on a bit signature. If you enable this
Templates\Windows                                                                                       Settings\Zones\3!2100                     policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
Components\Internet                                                                                                                               The security zone will run without the added layer of security provided by this
Explorer\Internet Control                                                                                                                         feature. If you disable this policy setting, the actions that may be harmful
Panel\Security Page\Internet                                                                                                                      cannot run; this Internet Explorer security feature will be turned on in this
Zone                                                                                                                                              zone, as dictated by the feature control setting for the process.
                                                                                                                                                  If you do not configure this policy setting, the MIME Sniffing Safety Feature
                                                                                                                                                  will not apply in this zone.
Computer                     Software channel            Enabled:High      Enabled:High      CCE-359                                              This policy setting allows you to manage software channel permissions.
Configuration\Administrative permissions                 Safety            Safety                                                                 If you enable this policy setting, you can choose the following options from the
                                                                                                                                                  drop-down box. Low safety to allow users to be notified of software updates
Templates\Windows                                                                                                                                 by e-mail, software packages to be automatically downloaded to users'
Components\Internet                                                                                                                               computers, and software packages to be automatically installed on users'
Explorer\Internet Control                                                                                                                         computers. Medium safety to allow users to be notified of software updates
Panel\Security Page\Internet                                                                                                                      by e-mail and software packages to be automatically downloaded to (but not
Zone                                                                                                                                              installed on) users' computers. High safety to prevent users from being
                                                                                                                                                  notified of software updates by e-mail, software packages from being
                                                                                                                                                  automatically downloaded to users' computers, and software packages from
                                                                                                                                                  being automatically installed on users' computers. If you disable this policy
                                                                                                                                                  setting, permissions are set to high safety. If you do not configure this policy
                                                                                                                                                  setting, permissions are set to Medium safety.




Computer                     Turn Off First-Run Opt-In   Enabled:Disable   Enabled:Disable   CCE-863    HKLM\Software\Policies\Microsoft\Window   This policy setting controls the First Run response that users see on a zone
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 by zone basis. When a user encounters a new control that has not previously
                                                                                                                                                  run in Internet Explorer, they may be prompted to approve the control. This
Templates\Windows                                                                                       Settings\Zones\3!1208                     feature determines if the user gets the prompt or not.
Components\Internet                                                                                                                               If you enable this policy setting, the Gold Bar prompt will be turned off in the
Explorer\Internet Control                                                                                                                         corresponding zone. If you disable this policy setting, the Gold Bar prompt
Panel\Security Page\Internet                                                                                                                      will be turned on in the corresponding zone. If you do not configure this
Zone                                                                                                                                              policy setting, the first-run prompt is turned off by default.



Computer                     Turn on Protected Mode      Enabled:Enable    Enabled:Enable    CCE-281    HKLM\Software\Policies\Microsoft\Window   Protected mode protects Internet Explorer from exploited vulnerabilities by
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 reducing the locations Internet Explorer can write to in the registry and the file
                                                                                                                                                  system. If you enable this policy setting, Protected Mode will be turned on.
Templates\Windows                                                                                       Settings\Zones\3!2500                     Users will not be able to turn off protected mode. If you disable this policy
Components\Internet                                                                                                                               setting, Protected Mode will be turned off. It will revert to Internet Explorer 6
Explorer\Internet Control                                                                                                                         behavior that allows for Internet Explorer to write to the registry and the file
Panel\Security Page\Internet                                                                                                                      system. Users will not be able to turn on protected mode. If you do not
Zone                                                                                                                                              configure this policy, users will be able to turn on or off protected mode.
                                                                                                                                                  Requires Windows Vista; will be ignored by Windows XP.


Computer                     Use Pop-up Blocker          Enabled:Enable    Enabled:Enable    CCE-1002   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether unwanted pop-up windows
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 appear. Pop-up windows that are opened when the end user clicks a link are
                                                                                                                                                  not blocked. If you enable this policy setting, most unwanted pop-up windows
Templates\Windows                                                                                       Settings\Zones\3!1809                     are prevented from appearing. If you disable this policy setting, pop-up
Components\Internet                                                                                                                               windows are not prevented from appearing. If you do not configure this policy
Explorer\Internet Control                                                                                                                         setting, most unwanted pop-up windows are prevented from appearing.
Panel\Security Page\Internet
Zone
Computer                     Userdata persistence        Enabled:Disable   Enabled:Disable   CCE-425    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage the preservation of information in the
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 browser's history, in favorites, in an XML store, or directly within a Web page
                                                                                                                                                  saved to disk. When a user returns to a persisted page, the state of the page
Templates\Windows                                                                                       Settings\Zones\3!1606                     can be restored if this policy setting is appropriately configured. If you enable
Components\Internet                                                                                                                               this policy setting, users can preserve information in the browser's history, in
Explorer\Internet Control                                                                                                                         favorites, in an XML store, or directly within a Web page saved to disk. If you
Panel\Security Page\Internet                                                                                                                      disable this policy setting, users cannot preserve information in the browser's
Zone                                                                                                                                              history, in favorites, in an XML store, or directly within a Web page saved to
                                                                                                                                                  disk. If you do not configure this policy setting, users can preserve
                                                                                                                                                  information in the browser's history, in favorites, in an XML store, or directly
                                                                                                                                                  within a Web page saved to disk.
Computer                     Web Browser Applications       Not Configured    Not Configured    CCE-286   HKLM\Software\Policies\Microsoft\Window   These are browser-hosted, ClickOnce-deployed applications built using
Configuration\Administrative                                                                              s\CurrentVersion\Internet                 WinFX. These applications execute in a security sandbox and harness the
                                                                                                                                                    power of the Windows Presentation Foundation platform for the Web.
Templates\Windows                                                                                         Settings\Zones\3!2400                     If you enable this policy setting and the dropdown box is set to Enable,
Components\Internet                                                                                                                                 .XBAPs will be automatically loaded inside Internet Explorer 7.0. User will not
Explorer\Internet Control                                                                                                                           be able to change this behavior. If the dropdown box is set to Prompt, users
Panel\Security Page\Internet                                                                                                                        will receive a prompt for loading .XBAPs. If you disable this policy setting,
Zone                                                                                                                                                .XBAPs will not be loaded inside Internet Explorer 7.0. User will not be able to
                                                                                                                                                    change this behavior. If you do not configure this policy setting, users will
                                                                                                                                                    have the freedom to decide whether to load XBAPs inside Internet Explorer
                                                                                                                                                    7.0.


Computer                     Web sites in less privileged   Enabled:Disable   Enabled:Disable   CCE-724   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether Web sites from less
Configuration\Administrative Web content zones can                                                        s\CurrentVersion\Internet                 privileged zones, such as Restricted Sites, can navigate into this zone.
                                                                                                                                                    If you enable this policy setting, Web sites from less privileged zones can
Templates\Windows            navigate into this zone                                                      Settings\Zones\3!2101                     open new windows in, or navigate into, this zone. The security zone will run
Components\Internet                                                                                                                                 without the added layer of security that is provided by the Protection from
Explorer\Internet Control                                                                                                                           Zone Elevation security feature. If you select Prompt in the drop-down box, a
Panel\Security Page\Internet                                                                                                                        warning is issued to the user that potentially risky navigation is about to
Zone                                                                                                                                                occur. If you disable this policy setting, the possibly harmful navigations are
                                                                                                                                                    prevented. The Internet Explorer security feature will be on in this zone as set
                                                                                                                                                    by Protection from Zone Elevation feature control. If you do not configure this
                                                                                                                                                    policy setting, Web sites from less privileged zones can open new windows
                                                                                                                                                    in, or navigate into, this zone.




Computer                     Display mixed content          Not Configured    Not Configured    CCE-288   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                              s\CurrentVersion\Internet                 nonsecure items and manage whether users receive a security information
                                                                                                                                                    message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                         Settings\Zones\1!1609                     If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                                 user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                           both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Intranet                                                                                                                        items?) and nonsecure content can be displayed. If the drop-down box is set
Zone                                                                                                                                                to Prompt, the user will receive the security information message on the Web
                                                                                                                                                    pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                    If you disable this policy setting, users cannot receive the security information
                                                                                                                                                    message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                    this policy setting, the user will receive the security information message on
                                                                                                                                                    the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                    content.




Computer                     Java permissions               Enabled:High      Enabled:High      CCE-218   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                                Safety            Safety                      s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                    box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                         Settings\Zones\1!1C00                     applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                 their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                           calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Intranet                                                                                                                        the client computer) and user-controlled file I/O. High Safety enables applets
Zone                                                                                                                                                to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                    If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                    configure this policy setting, the permission is set to High Safety.
                                                                                                                                                    Note: This only applies to MS Java, not Sun Java.
Computer                     Display mixed content     Not Configured    Not Configured     CCE-473   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                          s\CurrentVersion\Internet                 nonsecure items and manage whether users receive a security information
                                                                                                                                                message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                     Settings\Zones\0!1609                     If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                             user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                       both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Local                                                                                                                       items?) and nonsecure content can be displayed. If the drop-down box is set
Machine Zone                                                                                                                                    to Prompt, the user will receive the security information message on the Web
                                                                                                                                                pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                If you disable this policy setting, users cannot receive the security information
                                                                                                                                                message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                this policy setting, the user will receive the security information message on
                                                                                                                                                the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                content.




Computer                     Java permissions          Enabled:Disable   Enabled: Disable   CCE-138   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                           Java              Java                         s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                     Settings\Zones\0!1C00                     applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                             their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                       calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Local                                                                                                                       the client computer) and user-controlled file I/O. High Safety enables applets
Machine Zone                                                                                                                                    to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                configure this policy setting, the permission is set to High Safety.
                                                                                                                                                Note: This only applies to MS Java, not Sun Java.




Computer                     Display mixed content     Not Configured    Not Configured     CCE-878   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                          s\CurrentVersion\Internet                 nonsecure items and manage whether users receive a security information
                                                                                                                                                message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                     Settings\Lockdown_Zones\3!1609            If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                             user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                       both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Locked-                                                                                                                     items?) and nonsecure content can be displayed. If the drop-down box is set
Down Internet Zone                                                                                                                              to Prompt, the user will receive the security information message on the Web
                                                                                                                                                pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                If you disable this policy setting, users cannot receive the security information
                                                                                                                                                message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                this policy setting, the user will receive the security information message on
                                                                                                                                                the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                content.




Computer                     Download signed ActiveX   Enabled:Disable   Enabled:Disable    CCE-308   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users may download signed
Configuration\Administrative controls                                                                 s\CurrentVersion\Internet                 ActiveX controls from a page in the zone. If you enable this policy, users can
                                                                                                                                                download signed controls without user intervention. If you select Prompt in
Templates\Windows                                                                                     Settings\Lockdown_Zones\3!1001            the drop-down box, users are queried whether to download controls signed
Components\Internet                                                                                                                             by publishers who aren't trusted. Code signed by trusted publishers is silently
Explorer\Internet Control                                                                                                                       downloaded. If you disable the policy setting, signed controls cannot be
Panel\Security Page\Locked-                                                                                                                     downloaded. If you do not configure this policy setting, users are queried
Down Internet Zone                                                                                                                              whether to download controls signed by publishers who aren't trusted. Code
                                                                                                                                                signed by trusted publishers is silently downloaded.
Computer                     Java permissions        Enabled:Disable   Enabled: Disable   CCE-781   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                         Java              Java                         s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                              box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                   Settings\Lockdown_Zones\3!1C00            applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                           their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                     calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Locked-                                                                                                                   the client computer) and user-controlled file I/O. High Safety enables applets
Down Internet Zone                                                                                                                            to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                              If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                              configure this policy setting, the permission is set to High Safety.
                                                                                                                                              Note: This only applies to MS Java, not Sun Java.




Computer                     Display mixed content   Not Configured    Not Configured     CCE-552                                             This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                                                                  nonsecure items and manage whether users receive a security information
                                                                                                                                              message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                                                             If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                           user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                     both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Locked-                                                                                                                   items?) and nonsecure content can be displayed. If the drop-down box is set
Down Intranet Zone                                                                                                                            to Prompt, the user will receive the security information message on the Web
                                                                                                                                              pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                              If you disable this policy setting, users cannot receive the security information
                                                                                                                                              message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                              this policy setting, the user will receive the security information message on
                                                                                                                                              the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                              content.




Computer                     Java permissions        Enabled:Disable   Enabled: Disable   CCE-320   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                         Java              Java                         s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                              box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                   Settings\Lockdown_Zones\1!1C00            applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                           their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                     calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Locked-                                                                                                                   the client computer) and user-controlled file I/O. High Safety enables applets
Down Intranet Zone                                                                                                                            to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                              If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                              configure this policy setting, the permission is set to High Safety.
                                                                                                                                              Note: This only applies to MS Java, not Sun Java.




Computer                     Display mixed content   Not Configured    Not Configured     CCE-239   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                        s\CurrentVersion\Internet                 nonsecure items and manage whether users receive a security information
                                                                                                                                              message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                   Settings\Lockdown_Zones\0!1609            If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                           user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                     both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Locked-                                                                                                                   items?) and nonsecure content can be displayed. If the drop-down box is set
Down Local Machine Zone                                                                                                                       to Prompt, the user will receive the security information message on the Web
                                                                                                                                              pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                              If you disable this policy setting, users cannot receive the security information
                                                                                                                                              message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                              this policy setting, the user will receive the security information message on
                                                                                                                                              the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                              content.
Computer                     Java permissions            Enabled:Disable   Enabled: Disable   CCE-1045   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                             Java              Java                          s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                   box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                        Settings\Lockdown_Zones\0!1C00            applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                          calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Locked-                                                                                                                        the client computer) and user-controlled file I/O. High Safety enables applets
Down Local Machine Zone                                                                                                                            to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                   If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                   configure this policy setting, the permission is set to High Safety.
                                                                                                                                                   Note: This only applies to MS Java, not Sun Java.




Computer                     Display mixed content       Not Configured    Not Configured     CCE-30     HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                             s\CurrentVersion\Internet                 nonsecure items and manage whether users receive a security information
                                                                                                                                                   message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                        Settings\Lockdown_Zones\4!1609            If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                                user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                          both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Locked-                                                                                                                        items?) and nonsecure content can be displayed. If the drop-down box is set
Down Restricted Sites Zone                                                                                                                         to Prompt, the user will receive the security information message on the Web
                                                                                                                                                   pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                   If you disable this policy setting, users cannot receive the security information
                                                                                                                                                   message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                   this policy setting, the user will receive the security information message on
                                                                                                                                                   the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                   content.




Computer                     Java permissions            Enabled:Disable   Enabled: Disable   CCE-1088   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                             Java              Java                          s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                   box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                        Settings\Lockdown_Zones\4!1C00            applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                          calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Locked-                                                                                                                        the client computer) and user-controlled file I/O. High Safety enables applets
Down Restricted Sites Zone                                                                                                                         to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                   If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                   configure this policy setting, the permission is set to High Safety.
                                                                                                                                                   Note: This only applies to MS Java, not Sun Java.




Computer                     Allow status bar updates via Not Configured   Not Configured     CCE-1147   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether script is allowed to update
Configuration\Administrative script                                                                      s\CurrentVersion\Internet                 the status bar within the zone. If you enable this policy setting, script is
                                                                                                                                                   allowed to update the status bar. If you disable this policy setting, script is not
Templates\Windows                                                                                        Settings\Lockdown_Zones\2!2103            allowed to update the status bar. If you do not configure this policy setting,
Components\Internet                                                                                                                                status bar updates via scripts will be disabled.
Explorer\Internet Control
Panel\Security Page\Locked-
Down Trusted Sites Zone
Computer                     Display mixed content     Not Configured     Not Configured     CCE-666                                             This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                                                                     nonsecure items and manage whether users receive a security information
                                                                                                                                                 message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                                                                If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                              user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                        both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Locked-                                                                                                                      items?) and nonsecure content can be displayed. If the drop-down box is set
Down Trusted Sites Zone                                                                                                                          to Prompt, the user will receive the security information message on the Web
                                                                                                                                                 pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                 If you disable this policy setting, users cannot receive the security information
                                                                                                                                                 message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                 this policy setting, the user will receive the security information message on
                                                                                                                                                 the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                 content.




Computer                     Java permissions          Enabled:Disable    Enabled: Disable   CCE-140   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                           Java               Java                         s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                 box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                      Settings\Lockdown_Zones\2!1C00            applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                              their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                        calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Locked-                                                                                                                      the client computer) and user-controlled file I/O. High Safety enables applets
Down Trusted Sites Zone                                                                                                                          to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                 If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                 configure this policy setting, the permission is set to High Safety.
                                                                                                                                                 Note: This only applies to MS Java, not Sun Java.




Computer                     Access data sources across Enabled:Disable   Enabled:Disable    CCE-636   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether Internet Explorer can
Configuration\Administrative domains                                                                   s\CurrentVersion\Internet                 access data from another security zone using the Microsoft XML Parser
                                                                                                                                                 (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting,
Templates\Windows                                                                                      Settings\Zones\4!1406                     users can load a page in the zone that uses MSXML or ADO to access data
Components\Internet                                                                                                                              from another site in the zone. If you select Prompt in the drop-down box,
Explorer\Internet Control                                                                                                                        users are queried to choose whether to allow a page to be loaded in the zone
Panel\Security                                                                                                                                   that uses MSXML or ADO to access data from another site in the zone. If
Page\Restricted Sites Zone                                                                                                                       you disable this policy setting, users cannot load a page in the zone that uses
                                                                                                                                                 MSXML or ADO to access data from another site in the zone. If you do not
                                                                                                                                                 configure this policy setting, users cannot load a page in the zone that uses
                                                                                                                                                 MSXML or ADO to access data from another site in the zone.


Computer                     Allow active scripting    Enabled:Disable    Enabled:Disable    CCE-292   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether script code on pages in the
Configuration\Administrative                                                                           s\CurrentVersion\Internet                 zone is run. If you enable this policy setting, script code on pages in the zone
                                                                                                                                                 can run automatically. If you select Prompt in the drop-down box, users are
Templates\Windows                                                                                      Settings\Zones\4!1400                     queried to choose whether to allow script code on pages in the zone to run.
Components\Internet                                                                                                                              If you disable this policy setting, script code on pages in the zone is
Explorer\Internet Control                                                                                                                        prevented from running. If you do not configure this policy setting, script code
Panel\Security                                                                                                                                   on pages in the zone can run automatically.
Page\Restricted Sites Zone

Computer                     Allow binary and script   Enabled:Disable    Enabled:Disable    CCE-178   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage dynamic binary and script behaviors:
Configuration\Administrative behaviors                                                                 s\CurrentVersion\Internet                 components that encapsulate specific functionality for HTML elements to
                                                                                                                                                 which they were attached. If you enable this policy setting, binary and script
Templates\Windows                                                                                      Settings\Zones\4!2000                     behaviors are available. If you select Administrator approved in the drop-
Components\Internet                                                                                                                              down box, only behaviors listed in the Admin-approved Behaviors under
Explorer\Internet Control                                                                                                                        Binary Behaviors Security Restriction policy are available. If you disable this
Panel\Security                                                                                                                                   policy setting, binary and script behaviors are not available unless
Page\Restricted Sites Zone                                                                                                                       applications have implemented a custom security manager. If you do not
                                                                                                                                                 configure this policy setting, binary and script behaviors are available.
Computer                     Allow cut, copy or paste     Enabled:Disable    Enabled:Disable   CCE-1031   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether scripts can perform a
Configuration\Administrative operations from the                                                          s\CurrentVersion\Internet                 clipboard operation (for example, cut, copy, and paste) in a specified region.
                                                                                                                                                    If you enable this policy setting, a script can perform a clipboard operation.
Templates\Windows            clipboard via script                                                         Settings\Zones\4!1407                     If you select Prompt in the drop-down box, users are queried as to whether to
Components\Internet                                                                                                                                 perform clipboard operations. If you disable this policy setting, a script cannot
Explorer\Internet Control                                                                                                                           perform a clipboard operation. If you do not configure this policy setting, a
Panel\Security                                                                                                                                      script can perform a clipboard operation.
Page\Restricted Sites Zone


Computer                     Allow drag and drop or copy Enabled:Disable     Enabled:Disable   CCE-41     HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can drag files or copy
Configuration\Administrative and paste files                                                              s\CurrentVersion\Internet                 and paste files from a source within the zone. If you enable this policy setting,
                                                                                                                                                    users can drag files or copy and paste files from this zone automatically. If
Templates\Windows                                                                                         Settings\Zones\4!1802                     you select Prompt in the drop-down box, users are queried to choose whether
Components\Internet                                                                                                                                 to drag or copy files from this zone. If you disable this policy setting, users
Explorer\Internet Control                                                                                                                           are prevented from dragging files or copying and pasting files from this zone.
Panel\Security                                                                                                                                      If you do not configure this policy setting, users can drag files or copy and
Page\Restricted Sites Zone                                                                                                                          paste files from this zone automatically.


Computer                     Allow file downloads         Enabled:Disable    Enabled:Disable   CCE-970    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether file downloads are permitted
Configuration\Administrative                                                                              s\CurrentVersion\Internet                 from the zone. This option is determined by the zone of the page with the link
                                                                                                                                                    causing the download, not the zone from which the file is delivered. If you
Templates\Windows                                                                                         Settings\Zones\4!1803                     enable this policy setting, files can be downloaded from the zone. If you
Components\Internet                                                                                                                                 disable this policy setting, files are prevented from being downloaded from the
Explorer\Internet Control                                                                                                                           zone. If you do not configure this policy setting, files can be downloaded
Panel\Security                                                                                                                                      from the zone.
Page\Restricted Sites Zone

Computer                     Allow font downloads         Enabled:Disable    Enabled:Disable   CCE-882    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether pages of the zone may
Configuration\Administrative                                                                              s\CurrentVersion\Internet                 download HTML fonts. If you enable this policy setting, HTML fonts can be
                                                                                                                                                    downloaded automatically. If you enable this policy setting and Prompt is
Templates\Windows                                                                                         Settings\Zones\4!1604                     selected in the drop-down box, users are queried whether to allow HTML
Components\Internet                                                                                                                                 fonts to download. If you disable this policy setting, HTML fonts are
Explorer\Internet Control                                                                                                                           prevented from downloading. If you do not configure this policy setting, HTML
Panel\Security                                                                                                                                      fonts can be downloaded automatically.
Page\Restricted Sites Zone

Computer                     Allow installation of desktop Enabled:Disable   Enabled:Disable   CCE-763    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users can install Active
Configuration\Administrative items                                                                        s\CurrentVersion\Internet                 Desktop items from this zone. The settings for this option are: If you enable
                                                                                                                                                    this policy setting, users can install desktop items from this zone
Templates\Windows                                                                                         Settings\Zones\4!1800                     automatically. If you select Prompt in the drop-down box, users are queried
Components\Internet                                                                                                                                 to choose whether to install desktop items from this zone. If you disable this
Explorer\Internet Control                                                                                                                           policy setting, users are prevented from installing desktop items from this
Panel\Security                                                                                                                                      zone. If you do not configure this policy setting, users are queried to choose
Page\Restricted Sites Zone                                                                                                                          whether to install desktop items from this zone.


Computer                     Allow META REFRESH           Enabled:Disable    Enabled:Disable   CCE-680    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether a user's browser can be
Configuration\Administrative                                                                              s\CurrentVersion\Internet                 redirected to another Web page if the author of the Web page uses the Meta
                                                                                                                                                    Refresh setting (tag) to redirect browsers to another Web page. If you
Templates\Windows                                                                                         Settings\Zones\4!1608                     enable this policy setting, a user's browser that loads a page containing an
Components\Internet                                                                                                                                 active Meta Refresh setting can be redirected to another Web page. If you
Explorer\Internet Control                                                                                                                           disable this policy setting, a user's browser that loads a page containing an
Panel\Security                                                                                                                                      active Meta Refresh setting cannot be redirected to another Web page. If
Page\Restricted Sites Zone                                                                                                                          you do not configure this policy setting, a user's browser that loads a page
                                                                                                                                                    containing an active Meta Refresh setting can be redirected to another Web
                                                                                                                                                    page.
Computer                     Allow script-initiated         Enabled:Disable   Enabled:Disable   CCE-208    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage restrictions on script-initiated pop-up
Configuration\Administrative windows without size or                                                       s\CurrentVersion\Internet                 windows and windows that include the title and status bars. If you enable this
                                                                                                                                                     policy setting, Windows Restrictions security will not apply in this zone. The
Templates\Windows            position constraints                                                          Settings\Zones\4!2102                     security zone runs without the added layer of security provided by this
Components\Internet                                                                                                                                  feature.
Explorer\Internet Control                                                                                                                            If you disable this policy setting, the possible harmful actions contained in
Panel\Security                                                                                                                                       script-initiated pop-up windows and windows that include the title and status
Page\Restricted Sites Zone                                                                                                                           bars cannot be run. This Internet Explorer security feature will be on in this
                                                                                                                                                     zone as dictated by the Scripted Windows Security Restrictions feature
                                                                                                                                                     control setting for the process. If you do not configure this policy setting, the
                                                                                                                                                     possible harmful actions contained in script-initiated pop-up windows and
                                                                                                                                                     windows that include the title and status bars cannot be run. This Internet
                                                                                                                                                     Explorer security feature will be on in this zone as dictated by the Scripted
                                                                                                                                                     Windows Security Restrictions feature control setting for the process.




Computer                     Allow status bar updates via Not Configured      Not Configured    CCE-129    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether script is allowed to update
Configuration\Administrative script                                                                        s\CurrentVersion\Internet                 the status bar within the zone. If you enable this policy setting, script is
                                                                                                                                                     allowed to update the status bar. If you disable this policy setting, script is not
Templates\Windows                                                                                          Settings\Zones\4!2103                     allowed to update the status bar. If you do not configure this policy setting,
Components\Internet                                                                                                                                  status bar updates via scripts will be disabled.
Explorer\Internet Control
Panel\Security
Page\Restricted Sites Zone

Computer                     Automatic prompting for file   Enabled:Enable    Enabled:Enable    CCE-175    HKLM\Software\Policies\Microsoft\Window   This policy setting determines whether users will be prompted for non user-
Configuration\Administrative downloads                                                                     s\CurrentVersion\Internet                 initiated file downloads. Regardless of this setting, users will receive file
                                                                                                                                                     download dialogs for user-initiated downloads. If you enable this setting,
Templates\Windows                                                                                          Settings\Zones\4!2200                     users will receive a file download dialog for automatic download attempts. If
Components\Internet                                                                                                                                  you disable or do not configure this setting, file downloads that are not user-
Explorer\Internet Control                                                                                                                            initiated will be blocked, and users will see the Information Bar instead of the
Panel\Security                                                                                                                                       file download dialog. Users can then click the Information Bar to allow the file
Page\Restricted Sites Zone                                                                                                                           download prompt.


Computer                     Download signed ActiveX        Enabled:Disable   Enabled:Disable   CCE-52     HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users may download signed
Configuration\Administrative controls                                                                      s\CurrentVersion\Internet                 ActiveX controls from a page in the zone. If you enable this policy, users can
                                                                                                                                                     download signed controls without user intervention. If you select Prompt in
Templates\Windows                                                                                          Settings\Zones\4!1001                     the drop-down box, users are queried whether to download controls signed
Components\Internet                                                                                                                                  by publishers who aren't trusted. Code signed by trusted publishers is silently
Explorer\Internet Control                                                                                                                            downloaded. If you disable the policy setting, signed controls cannot be
Panel\Security                                                                                                                                       downloaded. If you do not configure this policy setting, users are queried
Page\Restricted Sites Zone                                                                                                                           whether to download controls signed by publishers who aren't trusted. Code
                                                                                                                                                     signed by trusted publishers is silently downloaded.



Computer                     Download unsigned ActiveX Enabled:Disable        Enabled:Disable   CCE-1012   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether users may download
Configuration\Administrative controls                                                                      s\CurrentVersion\Internet                 unsigned ActiveX controls from the zone. Such code is potentially harmful,
                                                                                                                                                     especially when coming from an untrusted zone. If you enable this policy
Templates\Windows                                                                                          Settings\Zones\4!1004                     setting, users can run unsigned controls without user intervention. If you
Components\Internet                                                                                                                                  select Prompt in the drop-down box, users are queried to choose whether to
Explorer\Internet Control                                                                                                                            allow the unsigned control to run. If you disable this policy setting, users
Panel\Security                                                                                                                                       cannot run unsigned controls. If you do not configure this policy setting,
Page\Restricted Sites Zone                                                                                                                           users cannot run unsigned controls.
Computer                     Initialize and script ActiveX Enabled:Disable   Enabled:Disable   CCE-26    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage ActiveX controls not marked as safe.
Configuration\Administrative controls not marked as safe                                                 s\CurrentVersion\Internet                 If you enable this policy setting, ActiveX controls are run, loaded with
                                                                                                                                                   parameters, and scripted without setting object safety for untrusted data or
Templates\Windows                                                                                        Settings\Zones\4!1201                     scripts. This setting is not recommended, except for secure and administered
Components\Internet                                                                                                                                zones. This setting causes both unsafe and safe controls to be initialized and
Explorer\Internet Control                                                                                                                          scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Panel\Security                                                                                                                                     If you enable this policy setting and select Prompt in the drop-down box,
Page\Restricted Sites Zone                                                                                                                         users are queried whether to allow the control to be loaded with parameters
                                                                                                                                                   or scripted. If you disable this policy setting, ActiveX controls that cannot be
                                                                                                                                                   made safe are not loaded with parameters or scripted. If you do not configure
                                                                                                                                                   this policy setting, ActiveX controls that cannot be made safe are not loaded
                                                                                                                                                   with parameters or scripted.




Computer                     Java permissions             Enabled:Disable                      CCE-925   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                              Java                                           s\CurrentVersion\Internet                 If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                   box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                        Settings\Zones\4!1C00                     applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                          calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security                                                                                                                                     the client computer) and user-controlled file I/O. High Safety enables applets
Page\Restricted Sites Zone                                                                                                                         to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                   If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                   configure this policy setting, the permission is set to High Safety.
                                                                                                                                                   Note: This only applies to MS Java, not Sun Java.




Computer                     Launching applications and   Enabled:Disable    Enabled:Disable   CCE-339   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether applications may be run and
Configuration\Administrative files in an IFRAME                                                          s\CurrentVersion\Internet                 files may be downloaded from an IFRAME reference in the HTML of the
                                                                                                                                                   pages in this zone. If you enable this policy setting, users can run
Templates\Windows                                                                                        Settings\Zones\4!1804                     applications and download files from IFRAMEs on the pages in this zone
Components\Internet                                                                                                                                without user intervention. If you select Prompt in the drop-down box, users
Explorer\Internet Control                                                                                                                          are queried to choose whether to run applications and download files from
Panel\Security                                                                                                                                     IFRAMEs on the pages in this zone. If you disable this policy setting, users
Page\Restricted Sites Zone                                                                                                                         are prevented from running applications and downloading files from IFRAMEs
                                                                                                                                                   on the pages in this zone. If you do not configure this policy setting, users are
                                                                                                                                                   queried to choose whether to run applications and download files from
                                                                                                                                                   IFRAMEs on the pages in this zone.


Computer                     Logon options                Enabled:Anonymo Enabled:Anonymo CCE-128        HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage settings for logon options.
Configuration\Administrative                              us logon        us logon                       s\CurrentVersion\Internet                 If you enable this policy setting, you can choose from the following logon
                                                                                                                                                   options. Anonymous logon to disable HTTP authentication and use the guest
Templates\Windows                                                                                        Settings\Zones\4!1A00                     account only for the Common Internet File System (CIFS) protocol.
Components\Internet                                                                                                                                Prompt for user name and password to query users for user IDs and
Explorer\Internet Control                                                                                                                          passwords. After a user is queried, these values can be used silently for the
Panel\Security                                                                                                                                     remainder of the session. Automatic logon only in Intranet zone to query
Page\Restricted Sites Zone                                                                                                                         users for user IDs and passwords in other zones. After a user is queried,
                                                                                                                                                   these values can be used silently for the remainder of the session.
                                                                                                                                                   Automatic logon with current user name and password to attempt logon using
                                                                                                                                                   Windows NT Challenge Response (also known as NTLM authentication). If
                                                                                                                                                   Windows NT Challenge Response is supported by the server, the logon uses
                                                                                                                                                   the user's network user name and password for logon. If Windows NT
                                                                                                                                                   Challenge Response is not supported by the server, the user is queried to
                                                                                                                                                   provide the user name and password. If you disable this policy setting, logon
                                                                                                                                                   is set to Automatic logon only in Intranet zone. If you do not configure this
                                                                                                                                                   policy setting, logon is set to Automatic logon only in Intranet zone.
Computer                     Loose or un-compiled XAML Enabled:Disable      Enabled:Disable   CCE-639   HKLM\Software\Policies\Microsoft\Window   These are eXtensible Application Markup Language (XAML) files. XAML is an
Configuration\Administrative files                                                                      s\CurrentVersion\Internet                 XML-based declarative markup language commonly used for creating rich
                                                                                                                                                  user interfaces and graphics that leverage the Windows Presentation
Templates\Windows                                                                                       Settings\Zones\4!2402                     Foundation. If you enable this policy setting and the dropdown box is set to
Components\Internet                                                                                                                               Enable, .XAML files will be automatically loaded inside Internet Explorer 7.0.
Explorer\Internet Control                                                                                                                         User will not be able to change this behavior. If the dropdown box is set to
Panel\Security                                                                                                                                    Prompt, users will receive a prompt for loading .XAML files. If you disable this
Page\Restricted Sites Zone                                                                                                                        policy setting, .XAML files will not be loaded inside Internet Explorer 7. User
                                                                                                                                                  will not be able to change this behavior. If you do not configure this policy
                                                                                                                                                  setting, users will have the freedom to decide whether to load XAML files
                                                                                                                                                  inside Internet Explorer 7.0.


Computer                     Navigate sub-frames across Enabled:Disable     Enabled:Disable   CCE-995   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage the opening of sub-frames and
Configuration\Administrative different domains                                                          s\CurrentVersion\Internet                 access of applications across different domains. If you enable this policy
                                                                                                                                                  setting, users can open sub-frames from other domains and access
Templates\Windows                                                                                       Settings\Zones\4!1607                     applications from other domains. If you select Prompt in the drop-down box,
Components\Internet                                                                                                                               users are queried whether to allow sub-frames or access to applications from
Explorer\Internet Control                                                                                                                         other domains. If you disable this policy setting, users cannot open sub-
Panel\Security                                                                                                                                    frames or access applications from different domains. If you do not configure
Page\Restricted Sites Zone                                                                                                                        this policy setting, users can open sub-frames from other domains and
                                                                                                                                                  access applications from other domains.


Computer                     Open files based on content, Enabled:Disable   Enabled:Disable   CCE-409   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage MIME sniffing for file promotion from
Configuration\Administrative not file extension                                                         s\CurrentVersion\Internet                 one type to another based on a MIME sniff. A MIME sniff is the recognition by
                                                                                                                                                  Internet Explorer of the file type based on a bit signature. If you enable this
Templates\Windows                                                                                       Settings\Zones\4!2100                     policy setting, the MIME Sniffing Safety Feature will not apply in this zone.
Components\Internet                                                                                                                               The security zone will run without the added layer of security provided by this
Explorer\Internet Control                                                                                                                         feature. If you disable this policy setting, the actions that may be harmful
Panel\Security                                                                                                                                    cannot run; this Internet Explorer security feature will be turned on in this
Page\Restricted Sites Zone                                                                                                                        zone, as dictated by the feature control setting for the process.
                                                                                                                                                  If you do not configure this policy setting, the MIME Sniffing Safety Feature
                                                                                                                                                  will not apply in this zone.


Computer                     Run .NET Framework-reliant Enabled:Disable     Enabled:Disable   CCE-678   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether .NET Framework
Configuration\Administrative components not signed with                                                 s\CurrentVersion\Internet                 components that are not signed with Authenticode can be executed from
                                                                                                                                                  Internet Explorer. These components include managed controls referenced
Templates\Windows            Authenticode                                                               Settings\Zones\4!2004                     from an object tag and managed executables referenced from a link.
Components\Internet                                                                                                                               If you enable this policy setting, Internet Explorer will execute unsigned
Explorer\Internet Control                                                                                                                         managed components. If you select Prompt in the drop-down box, Internet
Panel\Security                                                                                                                                    Explorer will prompt the user to determine whether to execute unsigned
Page\Restricted Sites Zone                                                                                                                        managed components. If you disable this policy setting, Internet Explorer will
                                                                                                                                                  not execute unsigned managed components. If you do not configure this
                                                                                                                                                  policy setting, Internet Explorer will execute unsigned managed components.



Computer                     Run .NET Framework-reliant Enabled:Disable     Enabled:Disable   CCE-563   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether .NET Framework
Configuration\Administrative components signed with                                                     s\CurrentVersion\Internet                 components that are signed with Authenticode can be executed from Internet
                                                                                                                                                  Explorer. These components include managed controls referenced from an
Templates\Windows            Authenticode                                                               Settings\Zones\4!2001                     object tag and managed executables referenced from a link. If you enable
Components\Internet                                                                                                                               this policy setting, Internet Explorer will execute signed managed
Explorer\Internet Control                                                                                                                         components. If you select Prompt in the drop-down box, Internet Explorer will
Panel\Security                                                                                                                                    prompt the user to determine whether to execute signed managed
Page\Restricted Sites Zone                                                                                                                        components. If you disable this policy setting, Internet Explorer will not
                                                                                                                                                  execute signed managed components. If you do not configure this policy
                                                                                                                                                  setting, Internet Explorer will execute signed managed components.
Computer                     Run ActiveX controls and    Enabled:Disable   Enabled:Disable   CCE-841    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether ActiveX controls and plug-
Configuration\Administrative plugins                                                                    s\CurrentVersion\Internet                 ins can be run on pages from the specified zone. If you enable this policy
                                                                                                                                                  setting, controls and plug-ins can run without user intervention. If you
Templates\Windows                                                                                       Settings\Zones\4!1200                     selected Prompt in the drop-down box, users are asked to choose whether to
Components\Internet                                                                                                                               allow the controls or plug-in to run. If you disable this policy setting, controls
Explorer\Internet Control                                                                                                                         and plug-ins are prevented from running. If you do not configure this policy
Panel\Security                                                                                                                                    setting, controls and plug-ins can run without user intervention.
Page\Restricted Sites Zone

Computer                     Script ActiveX controls     Enabled:Disable   Enabled:Disable   CCE-973    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether an ActiveX control marked
Configuration\Administrative marked safe for scripting                                                  s\CurrentVersion\Internet                 safe for scripting can interact with a script. If you enable this policy setting,
                                                                                                                                                  script interaction can occur automatically without user intervention.
Templates\Windows                                                                                       Settings\Zones\4!1405                     If you select Prompt in the drop-down box, users are queried to choose
Components\Internet                                                                                                                               whether to allow script interaction. If you disable this policy setting, script
Explorer\Internet Control                                                                                                                         interaction is prevented from occurring. If you do not configure this policy
Panel\Security                                                                                                                                    setting, script interaction can occur automatically without user intervention.
Page\Restricted Sites Zone

Computer                     Scripting of Java applets   Enabled:Disable   Enabled:Disable   CCE-1000   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether applets are exposed to
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 scripts within the zone. If you enable this policy setting, scripts can access
                                                                                                                                                  applets automatically without user intervention. If you select Prompt in the
Templates\Windows                                                                                       Settings\Zones\4!1402                     drop-down box, users are queried to choose whether to allow scripts to
Components\Internet                                                                                                                               access applets. If you disable this policy setting, scripts are prevented from
Explorer\Internet Control                                                                                                                         accessing applets. If you do not configure this policy setting, scripts can
Panel\Security                                                                                                                                    access applets automatically without user intervention.
Page\Restricted Sites Zone                                                                                                                        Note: this only applies to MS Java, not to Sun Java


Computer                     Software channel            Enabled:High      Enabled:High      CCE-520    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage software channel permissions.
Configuration\Administrative permissions                 Safety            Safety                       s\CurrentVersion\Internet                 If you enable this policy setting, you can choose the following options from the
                                                                                                                                                  drop-down box. Low safety to allow users to be notified of software updates
Templates\Windows                                                                                       Settings\Zones\4!1E05                     by e-mail, software packages to be automatically downloaded to users'
Components\Internet                                                                                                                               computers, and software packages to be automatically installed on users'
Explorer\Internet Control                                                                                                                         computers. Medium safety to allow users to be notified of software updates
Panel\Security                                                                                                                                    by e-mail and software packages to be automatically downloaded to (but not
Page\Restricted Sites Zone                                                                                                                        installed on) users' computers. High safety to prevent users from being
                                                                                                                                                  notified of software updates by e-mail, software packages from being
                                                                                                                                                  automatically downloaded to users' computers, and software packages from
                                                                                                                                                  being automatically installed on users' computers. If you disable this policy
                                                                                                                                                  setting, permissions are set to high safety. If you do not configure this policy
                                                                                                                                                  setting, permissions are set to Medium safety.




Computer                     Turn Off First-Run Opt-In   Enabled:Disable   Enabled:Disable   CCE-200    HKLM\Software\Policies\Microsoft\Window   This policy setting controls the First Run response that users see on a zone
Configuration\Administrative                                                                            s\CurrentVersion\Internet                 by zone basis. When a user encounters a new control that has not previously
                                                                                                                                                  run in Internet Explorer, they may be prompted to approve the control. This
Templates\Windows                                                                                       Settings\Zones\4!1208                     feature determines if the user gets the prompt or not.
Components\Internet                                                                                                                               If you enable this policy setting, the Gold Bar prompt will be turned off in the
Explorer\Internet Control                                                                                                                         corresponding zone. If you disable this policy setting, the Gold Bar prompt
Panel\Security                                                                                                                                    will be turned on in the corresponding zone. If you do not configure this
Page\Restricted Sites Zone                                                                                                                        policy setting, the first-run prompt is turned off by default.
Computer                     Turn on Protected Mode         Enabled:Enable    Enabled:Enable    CCE-1211   HKLM\Software\Policies\Microsoft\Window   Protected mode protects Internet Explorer from exploited vulnerabilities by
Configuration\Administrative                                                                               s\CurrentVersion\Internet                 reducing the locations Internet Explorer can write to in the registry and the file
                                                                                                                                                     system. If you enable this policy setting, Protected Mode will be turned on.
Templates\Windows                                                                                          Settings\Zones\4!2500                     Users will not be able to turn off protected mode. If you disable this policy
Components\Internet                                                                                                                                  setting, Protected Mode will be turned off. It will revert to Internet Explorer 6
Explorer\Internet Control                                                                                                                            behavior that allows for Internet Explorer to write to the registry and the file
Panel\Security                                                                                                                                       system. Users will not be able to turn on protected mode. If you do not
Page\Restricted Sites Zone                                                                                                                           configure this policy, users will be able to turn on or off protected mode.
                                                                                                                                                     Requires Windows Vista; will be ignored by Windows XP.


Computer                     Use Pop-up Blocker             Enabled:Enable    Enabled:Enable    CCE-660    HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether unwanted pop-up windows
Configuration\Administrative                                                                               s\CurrentVersion\Internet                 appear. Pop-up windows that are opened when the end user clicks a link are
                                                                                                                                                     not blocked. If you enable this policy setting, most unwanted pop-up windows
Templates\Windows                                                                                          Settings\Zones\4!1809                     are prevented from appearing. If you disable this policy setting, pop-up
Components\Internet                                                                                                                                  windows are not prevented from appearing. If you do not configure this policy
Explorer\Internet Control                                                                                                                            setting, most unwanted pop-up windows are prevented from appearing.
Panel\Security
Page\Restricted Sites Zone

Computer                     Userdata persistence           Enabled:Disable   Enabled:Disable   CCE-28     HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage the preservation of information in the
Configuration\Administrative                                                                               s\CurrentVersion\Internet                 browser's history, in favorites, in an XML store, or directly within a Web page
                                                                                                                                                     saved to disk. When a user returns to a persisted page, the state of the page
Templates\Windows                                                                                          Settings\Zones\4!1606                     can be restored if this policy setting is appropriately configured. If you enable
Components\Internet                                                                                                                                  this policy setting, users can preserve information in the browser's history, in
Explorer\Internet Control                                                                                                                            favorites, in an XML store, or directly within a Web page saved to disk. If you
Panel\Security                                                                                                                                       disable this policy setting, users cannot preserve information in the browser's
Page\Restricted Sites Zone                                                                                                                           history, in favorites, in an XML store, or directly within a Web page saved to
                                                                                                                                                     disk. If you do not configure this policy setting, users can preserve
                                                                                                                                                     information in the browser's history, in favorites, in an XML store, or directly
                                                                                                                                                     within a Web page saved to disk.


Computer                     Web Browser Applications       Not Configured    Not Configured    CCE-51     HKLM\Software\Policies\Microsoft\Window   These are browser-hosted, ClickOnce-deployed applications built using
Configuration\Administrative                                                                               s\CurrentVersion\Internet                 WinFX. These applications execute in a security sandbox and harness the
                                                                                                                                                     power of the Windows Presentation Foundation platform for the Web.
Templates\Windows                                                                                          Settings\Zones\4!2400                     If you enable this policy setting and the dropdown box is set to Enable,
Components\Internet                                                                                                                                  .XBAPs will be automatically loaded inside Internet Explorer 7.0. User will not
Explorer\Internet Control                                                                                                                            be able to change this behavior. If the dropdown box is set to Prompt, users
Panel\Security                                                                                                                                       will receive a prompt for loading .XBAPs. If you disable this policy setting,
Page\Restricted Sites Zone                                                                                                                           .XBAPs will not be loaded inside Internet Explorer 7.0. User will not be able to
                                                                                                                                                     change this behavior. If you do not configure this policy setting, users will
                                                                                                                                                     have the freedom to decide whether to load XBAPs inside Internet Explorer
                                                                                                                                                     7.0.


Computer                     Web sites in less privileged   Enabled:Disable   Enabled:Disabled CCE-698     HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to manage whether Web sites from less
Configuration\Administrative Web content zones can                                                         s\CurrentVersion\Internet                 privileged zones, such as Restricted Sites, can navigate into this zone.
                                                                                                                                                     If you enable this policy setting, Web sites from less privileged zones can
Templates\Windows            navigate into this zone                                                       Settings\Zones\4!2101                     open new windows in, or navigate into, this zone. The security zone will run
Components\Internet                                                                                                                                  without the added layer of security that is provided by the Protection from
Explorer\Internet Control                                                                                                                            Zone Elevation security feature. If you select Prompt in the drop-down box, a
Panel\Security                                                                                                                                       warning is issued to the user that potentially risky navigation is about to
Page\Restricted Sites Zone                                                                                                                           occur. If you disable this policy setting, the possibly harmful navigations are
                                                                                                                                                     prevented. The Internet Explorer security feature will be on in this zone as set
                                                                                                                                                     by Protection from Zone Elevation feature control. If you do not configure this
                                                                                                                                                     policy setting, Web sites from less privileged zones can open new windows
                                                                                                                                                     in, or navigate into, this zone.
Computer                     Display mixed content         Not Configured   Not Configured   CCE-31    HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage whether users can display
Configuration\Administrative                                                                           s\CurrentVersion\Internet                   nonsecure items and manage whether users receive a security information
                                                                                                                                                   message to display pages containing both secure and nonsecure items.
Templates\Windows                                                                                      Settings\Zones\2!1609                       If you enable this policy setting, and the drop-down box is set to Enable, the
Components\Internet                                                                                                                                user does not receive a security information message (This page contains
Explorer\Internet Control                                                                                                                          both secure and nonsecure items. Do you want to display the nonsecure
Panel\Security Page\Trusted                                                                                                                        items?) and nonsecure content can be displayed. If the drop-down box is set
Sites Zone                                                                                                                                         to Prompt, the user will receive the security information message on the Web
                                                                                                                                                   pages that contain both secure (https://) and nonsecure (http://) content.
                                                                                                                                                   If you disable this policy setting, users cannot receive the security information
                                                                                                                                                   message and nonsecure content cannot be displayed. If you do not configure
                                                                                                                                                   this policy setting, the user will receive the security information message on
                                                                                                                                                   the Web pages that contain both secure (https://) and nonsecure (http://)
                                                                                                                                                   content.




Computer                     Java permissions              Enabled:High     Enabled:High     CCE-675   HKLM\Software\Policies\Microsoft\Window     This policy setting allows you to manage permissions for Java applets.
Configuration\Administrative                               Safety           Safety                     s\CurrentVersion\Internet                   If you enable this policy setting, you can choose options from the drop-down
                                                                                                                                                   box. Custom, to control permissions settings individually. Low Safety enables
Templates\Windows                                                                                      Settings\Zones\2!1C00                       applets to perform all operations. Medium Safety enables applets to run in
Components\Internet                                                                                                                                their sandbox (an area in memory outside of which the program cannot make
Explorer\Internet Control                                                                                                                          calls), plus capabilities like scratch space (a safe and secure storage area on
Panel\Security Page\Trusted                                                                                                                        the client computer) and user-controlled file I/O. High Safety enables applets
Sites Zone                                                                                                                                         to run in their sandbox. Disable Java to prevent any applets from running.
                                                                                                                                                   If you disable this policy setting, Java applets cannot run. If you do not
                                                                                                                                                   configure this policy setting, the permission is set to High Safety.
                                                                                                                                                   Note: This only applies to MS Java, not Sun Java.




Computer                       Turn off changing the URL to Enabled:blank   Enabled:blank    CCE-946   HKLM\Software\Policies\Microsoft\Internet   This policy setting allows checking for updates for Internet Explorer from the
Configuration\Administrative   be displayed for checking                                               Explorer\Main!Update_Check_Page             specified URL, included by default in Internet Explorer. If you enable this
                                                                                                                                                   policy setting, users will not be able to change the URL to be displayed for
Templates\Windows              updates to Internet Explorer                                                                                        checking updates to Internet Explorer and Internet Tools. You must specify
Components\Internet            and Internet Tools                                                                                                  the URL to be displayed for checking updates to Internet Explorer and
Explorer\Internet                                                                                                                                  Internet Tools. If you disable or do not configure this policy setting, users will
Settings\Component                                                                                                                                 be able to change the URL to be displayed for checking updates to Internet
Updates\Periodic check for                                                                                                                         Explorer and Internet Tools.
updates to Internet Explorer
and Internet Tools
Computer                       Turn off configuring the    Enabled:30       Enabled:30       CCE-237   HKLM\Software\Policies\Microsoft\Internet   This setting specifies the update check interval. The default value is 30 days.
Configuration\Administrative   update check interval (in                                               Explorer\Main!Update_Check_Interval         If you enable this policy setting, the user will not be able to configure the
                                                                                                                                                   update check interval. You have to specify the update check interval.
Templates\Windows              days)                                                                                                               If you disable or do not configure this policy setting, the user will have the
Components\Internet                                                                                                                                freedom to configure the update check interval.
Explorer\Internet
Settings\Component
Updates\Periodic check for
updates to Internet Explorer
and Internet Tools
Computer                       Enable Native XMLHttp       Not Configured   Not Configured   CCE-528   HKLM\Software\Policies\Microsoft\Internet   This policy setting allows users to run natively implemented scriptable
Configuration\Administrative   Support                                                                 Explorer\Main!XMLHTTP                       XMLHTTP. If you enable this policy setting, the users will be allowed to use
                                                                                                                                                   natively implemented scriptable XMLHTTP. If you disable this policy setting,
Templates\Windows                                                                                                                                  the users will be prevented from running scriptable native XMLHTTP. If you
Components\Internet                                                                                                                                do not configure this policy setting, the user can choose to run scriptable
Explorer\Security Features                                                                                                                         native XMLHTTP.
Computer                     Internet Explorer Processes Enabled   Enabled   CCE-382   HKLM\Software\Policies\Microsoft\Internet   Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to
Configuration\Administrative                                                           Explorer\Main\FeatureControl\FEATURE_       determine file handling procedures for files received through a Web server.
                                                                                                                                   The Consistent MIME Handling\Internet Explorer Processes policy setting
Templates\Windows                                                                      MIME_HANDLING!(Reserved),                   determines whether Internet Explorer requires that all file-type information
Components\Internet                                                                    HKLM\Software\Policies\Microsoft\Internet   provided by Web servers be consistent. For example, if the MIME type of a
Explorer\Security                                                                      Explorer\Main\FeatureControl\FEATURE_       file is text/plain but the MIME data indicates that the file is really an
Features\Consistent Mime                                                               MIME_HANDLING!explorer.exe,                 executable file, Internet Explorer changes its extension to reflect this
Handling                                                                               HKLM\Software\Policies\Microsoft\Internet   executable status. This capability helps ensure that executable code cannot
                                                                                                                                   masquerade as other types of data that may be trusted. If you enable this
                                                                                       Explorer\Main\FeatureControl\FEATURE_       policy setting, Internet Explorer examines all received files and enforces
                                                                                       MIME_HANDLING!iexplore.exe                  consistent MIME data for them. If you disable or do not configure this policy
                                                                                                                                   setting, Internet Explorer does not require consistent MIME data for all
                                                                                                                                   received files and will use the MIME data provided by the file. MIME file-type
                                                                                                                                   spoofing is a potential threat to your organization. Ensuring that these files
                                                                                                                                   are consistent and properly labeled helps prevent malicious file downloads
                                                                                                                                   from infecting your network. Therefore, this appendix recommends you
                                                                                                                                   configure this policy as Enabled for all environments specified in this guide.
Computer                     Internet Explorer Processes Enabled   Enabled   CCE-985   HKLM\Software\Policies\Microsoft\Internet   MIME sniffing is the process of examining the content of a MIME file to
Configuration\Administrative                                                           Explorer\Main\FeatureControl\FEATURE_       determine its context — whether it is a data file, an executable file, or some
                                                                                                                                   other type of file. This policy setting determines whether Internet Explorer
Templates\Windows                                                                      MIME_SNIFFING!(Reserved),                   MIME sniffing will prevent promotion of a file of one type to a more dangerous
Components\Internet                                                                    HKLM\Software\Policies\Microsoft\Internet   file type. When set to Enabled, MIME sniffing will never promote a file of one
Explorer\Security                                                                      Explorer\Main\FeatureControl\FEATURE_       type to a more dangerous file type. Disabling MIME sniffing configures
Features\Mime Sniffing                                                                 MIME_ SNIFFING!explorer.exe,                Internet Explorer processes to allow a MIME sniff that promotes a file of one
Safety Feature                                                                         HKLM\Software\Policies\Microsoft\Internet   type to a more dangerous file type. For example, promoting a text file to an
                                                                                                                                   executable file is a dangerous promotion because any code in the supposed
                                                                                       Explorer\Main\FeatureControl\FEATURE_       text file would be executed. MIME file-type spoofing is a potential threat to
                                                                                       MIME_ SNIFFING!iexplore.exe                 your organization. Ensuring that these files are consistently handled helps
                                                                                                                                   prevent malicious file downloads from infecting your network. Therefore, this
                                                                                                                                   appendix recommends you configure this policy as Enabled for all
                                                                                                                                   environments specified in this guide. Note: This setting works in conjunction
                                                                                                                                   with, but does not replace, the Consistent MIME Handling settings.




Computer                     Internet Explorer Processes Enabled   Enabled   CCE-591   HKLM\Software\Policies\Microsoft\Internet   The MK Protocol Security Restriction policy setting reduces attack surface
Configuration\Administrative                                                           Explorer\Main\FeatureControl\FEATURE_D      area by blocking the seldom used MK protocol. Some older Web applications
                                                                                                                                   use the MK protocol to retrieve information from compressed files. Setting this
Templates\Windows                                                                      ISABLE_MK_PROTOCOL!(Reserved),              policy to Enabled blocks the MK protocol for Windows Explorer and Internet
Components\Internet                                                                    HKLM\Software\Policies\Microsoft\Internet   Explorer, which causes resources that use the MK protocol to fail. Disabling
Explorer\Security                                                                      Explorer\Main\FeatureControl\FEATURE_D      this setting allows applications to use the MK protocol API. Because the MK
Features\MK Protocol                                                                   ISABLE_MK_PROTOCOL!explorer.exe,            protocol is not widely used, it should be blocked wherever it is not needed.
Security Restriction                                                                   HKLM\Software\Policies\Microsoft\Internet   This appendix recommends you configure this setting to Enabled to block the
                                                                                                                                   MK protocol unless you specifically need it in your environment. Note:
                                                                                       Explorer\Main\FeatureControl\FEATURE_D      Because resources that use the MK protocol will fail when you deploy this
                                                                                       ISABLE_MK_PROTOCOL!iexplore.exe             setting, you should ensure that none of your applications use the MK
                                                                                                                                   protocol.
Computer                     Internet Explorer Processes Enabled          Enabled          CCE-347   HKLM\Software\Policies\Microsoft\Internet   Internet Explorer places restrictions on each Web page it opens that are
Configuration\Administrative                                                                         Explorer\Main\FeatureControl\FEATURE_Z      dependent upon the location of the Web page (such as Internet zone, Intranet
                                                                                                                                                 zone, or Local Machine zone). Web pages on a local computer have the
Templates\Windows                                                                                    ONE_ELEVATION!(Reserved),                   fewest security restrictions and reside in the Local Machine zone, which
Components\Internet                                                                                  HKLM\Software\Policies\Microsoft\Internet   makes the Local Machine security zone a prime target for malicious attackers.
Explorer\Security                                                                                    Explorer\Main\FeatureControl\FEATURE_Z      If you enable this policy setting, any zone can be protected from zone
Features\Protection From                                                                             ONE_ELEVATION! explorer.exe,                elevation by Internet Explorer processes. This approach stops content
Zone Elevation                                                                                       HKLM\Software\Policies\Microsoft\Internet   running in one zone from gaining the elevated privileges of another zone. If
                                                                                                                                                 you disable this policy setting, no zone receives such protection for Internet
                                                                                                     Explorer\Main\FeatureControl\FEATURE_Z      Explorer processes. Because of the severity and relative frequency of zone
                                                                                                     ONE_ELEVATION!iexplore.exe                  elevation attacks, this appendix recommends that you configure this setting
                                                                                                                                                 as Enabled in all environments.



Computer                     Internet Explorer Processes Not Configured   Not Configured   CCE-119   HKLM\Software\Policies\Microsoft\Internet   The Restrict ActiveX Install\Internet Explorer Processes policy setting enables
Configuration\Administrative                                                                         Explorer\Main\FeatureControl\FEATURE_R      blocking of ActiveX control installation prompts for Internet Explorer
                                                                                                                                                 processes. If you enable this policy setting, prompting for ActiveX control
Templates\Windows                                                                                    ESTRICT_ACTIVEXINSTALL!(Reserved),          installations will be blocked for Internet Explorer processes. If you disable this
Components\Internet                                                                                  HKLM\Software\Policies\Microsoft\Internet   policy setting, prompting for ActiveX control installations will not be blocked.
Explorer\Security                                                                                    Explorer\Main\FeatureControl\FEATURE_R      Users often choose to install software such as ActiveX controls that are not
Features\Restrict ActiveX                                                                            ESTRICT_ACTIVEXINSTALL!explorer.exe,        permitted by company security policy. Such software can pose significant
Install                                                                                              HKLM\Software\Policies\Microsoft\Internet   security and privacy risks to your network. Therefore, this appendix
                                                                                                                                                 recommends you configure this policy as Enabled. Note: This setting also
                                                                                                     Explorer\Main\FeatureControl\FEATURE_R      blocks users from installing authorized legitimate ActiveX controls that will
                                                                                                     ESTRICT_ACTIVEXINSTALL!iexplore.exe         interfere with important system components like Windows Update. If you
                                                                                                                                                 enable this setting, make sure to implement Software Update Services (SUS)
                                                                                                                                                 or some alternate method of deploying security updates.




Computer                     Internet Explorer Processes Enabled          Enabled          CCE-668   HKLM\Software\Policies\Microsoft\Internet   In certain circumstances, Web sites can initiate file download prompts without
Configuration\Administrative                                                                         Explorer\Main\FeatureControl\FEATURE_R      interaction from users. This technique can allow Web sites to put
                                                                                                                                                 unauthorized files on users' hard drives if they click the wrong button and
Templates\Windows                                                                                    ESTRICT_FILEDOWNLOAD!(Reserved),            accept the download. If you configure the Restrict File Download\Internet
Components\Internet                                                                                  HKLM\Software\Policies\Microsoft\Internet   Explorer Processes policy setting to Enabled, file download prompts that are
Explorer\Security                                                                                    Explorer\Main\FeatureControl\FEATURE_R      not user-initiated are blocked for Internet Explorer processes. If you configure
Features\Restrict File                                                                               ESTRICT_FILEDOWNLOAD!explorer.exe,          this policy setting as Disabled, prompting will occur for file downloads that are
Download                                                                                             HKLM\Software\Policies\Microsoft\Internet   not user-initiated for Internet Explorer processes. Note: This setting is
                                                                                                                                                 configured as Enabled in all environments specified in this guide to help
                                                                                                     Explorer\Main\FeatureControl\FEATURE_R      prevent attackers from placing arbitrary code on users' computers.
                                                                                                     ESTRICT_FILEDOWNLOAD!iexplore.exe
Computer                     Internet Explorer Processes Enabled       Enabled            CCE-827    HKLM\Software\Policies\Microsoft\Internet        Internet Explorer allows scripts to programmatically open, resize, and
Configuration\Administrative                                                                         Explorer\Main\FeatureControl\FEATURE_            reposition various types of windows. Often, disreputable Web sites will resize
                                                                                                                                                      windows to either hide other windows or force you to interact with a window
Templates\Windows                                                                                    WINDOW_RESTRICTIONS!(Reserved),                  that contains malicious code. The Scripted Window Security Restrictions
Components\Internet                                                                                  HKLM\Software\Policies\Microsoft\Internet        security feature restricts pop-up windows and prohibits scripts from displaying
Explorer\Security                                                                                    Explorer\Main\FeatureControl\FEATURE_            windows in which the title and status bars are not visible to the user or hide
Features\Scripted Window                                                                             WINDOW_RESTRICTIONS!explorer.exe,                other windows’ title and status bars. If you enable the Scripted Window
Security Restrictions                                                                                HKLM\Software\Policies\Microsoft\Internet        Security Restrictions\Internet Explorer Processes policy setting, pop-up
                                                                                                                                                      windows and other restrictions apply for Windows Explorer and Internet
                                                                                                     Explorer\Main\FeatureControl\FEATURE_            Explorer processes. If you disable or do not configure this policy setting,
                                                                                                     WINDOW_RESTRICTIONS!iexplore.exe                 scripts can continue to create pop-up windows and windows that hide other
                                                                                                                                                      windows. This appendix recommends you configure this setting to Enabled to
                                                                                                                                                      help prevent malicious Web sites from controlling your Internet Explorer
                                                                                                                                                      windows or fooling users into clicking on the wrong window.




Computer                       Prevent IIS installation     Enabled    Enabled            CCE-474    HKLM\Software\Policies\Microsoft\Window This blocks even local Administrators from adding local web services to the
Configuration\Administrative                                                                         s NT\IIS!PreventIISInstall              XP client, if this policy is Enabled.

Templates\Windows
Components\Internet
Information Services
Computer                       Disable remote Desktop       Enabled    Enabled            CCE-232    HKLM\Software\Policies\Microsoft\Confere Disables the remote desktop sharing feature of NetMeeting. Users will not be
Configuration\Administrative   Sharing                                                               ncing!NoRDS                              able to set it up or use it for controlling their computers remotely.
Templates\Windows
Components\NetMeeting
Computer                       Turn off Untrusted Content   Enabled    (Not Applicable)   CCE-95     HKLM\Software\Policies\Microsoft\Assistan Specifies whether untrusted content is rendered. By default, the Help viewer
Configuration\Administrative                                                                         ce\Client\1.0!NoUntrustedContent          renders untrusted assistance content pages with the exception of active links.
                                                                                                                                                      Active links, such as ShellExecute and Guided Help, are rendered as text and
Templates\Windows                                                                                                                                     are not clickable. If you enable this policy, untrusted content is not rendered
Components\Online                                                                                                                                     at all, and a navigation error page is displayed to the user. If you Disable or
Assistance                                                                                                                                            do not configure this setting, the default behavior (untrusted content is
                                                                                                                                                      rendered with the exception of active links, which are rendered as text only)
                                                                                                                                                      applies.


Computer                     Turn off downloading of        Enabled    Enabled            CCE-767    HKLM\Software\Policies\Microsoft\Internet This policy setting prevents users from having enclosures (file attachments)
Configuration\Administrative enclosures                                                              Explorer\Feeds!DisableEnclosureDownload downloaded from a feed to the user's computer. If you enable this policy
                                                                                                                                                      setting, the setting to download an enclosure is disabled. A developer cannot
Templates\Windows                                                                                                                                     change the download setting through the Feed application programming
Components\RSS Feeds                                                                                                                                  interfaces (APIs). If you disable this policy setting, a user can set the Feed
                                                                                                                                                      Sync Engine to download an enclosure through the Feed property page. A
                                                                                                                                                      developer can change the download setting through the Feed APIs.
                                                                                                                                                      If you do not configure this policy setting, the user can set the Feed Sync
                                                                                                                                                      Engine to download an enclosure through the Feed property page. A
                                                                                                                                                      developer can change the download setting by using the Feed APIs.



Computer                     Allow indexing of encrypted    Disabled   (Not Applicable)   CCE-1049   HKLM\SOFTWARE\Policies\Microsoft\Win             This policy setting allows encrypted items to be indexed. If you enable this
Configuration\Administrative files                                                                   dows\Windows                                     policy setting, indexing disregards encryption flags (access restrictions still
                                                                                                                                                      apply though) and will attempt to decrypt and index the content. If you disable
Templates\Windows                                                                                    Search!AllowIndexingEncryptedStoresOrIte         this policy setting, the search service components (including the ones from
Components\Search                                                                                    ms                                               3rd parties) are expected not to index encrypted items such as emails or files,
                                                                                                                                                      and to avoid indexing encrypted stores. This policy setting is not configured
                                                                                                                                                      by default. If you do not configure this policy setting, the local setting,
                                                                                                                                                      configured through the control panel, will be respected. Note: By default, the
                                                                                                                                                      control panel setting is set to not index encrypted content. Note: Enabling this
                                                                                                                                                      policy setting will not allow encrypted files in the local file system to be
                                                                                                                                                      indexed.
Computer                     Prevent indexing uncached   Enabled            (Not Applicable)   CCE-1058   HKLM\SOFTWARE\Policies\Microsoft\Win    Enabling this policy setting prevents indexing of mail items on a Microsoft
Configuration\Administrative Exchange folders                                                             dows\Windows                            Exchange server when Microsoft Outlook is run in uncached mode. This is
                                                                                                                                                  the default behavior and so for uncached items to be indexed this policy
Templates\Windows                                                                                         Search!PreventIndexingUncachedExchang   setting must be disabled. Note that versions of Outlook prior to 2003 do not
Components\Search                                                                                         eFolders                                support cached mode and so only local items such as PST files will be
                                                                                                                                                  indexed if this policy setting is enabled or left in the not configured state.


Computer                     Do not allow passwords to   (Not Applicable)   Enabled            CCE-976    HKLM\SOFTWARE\Policies\Microsoft\Win    Controls whether passwords can be saved on this computer from Terminal
Configuration\Administrative be saved                                                                     dows NT\Terminal                        Services clients. If you enable this setting the password saving checkbox in
                                                                                                                                                  Terminal Services clients will be disabled and users will no longer be able to
Templates\Windows                                                                                         Services!DisablePasswordSaving          save passwords. When a user opens an RDP file using the Terminal
Components\Terminal                                                                                                                               Services client and saves his settings, any password that previously existed
Services\Client                                                                                                                                   in the RDP file will be deleted. If you disable this setting or leave it not
                                                                                                                                                  configured, the user will be able to save passwords using the Terminal
                                                                                                                                                  Services client. Note: this setting has a different name (Remote Desktop
                                                                                                                                                  Connection Client) when viewing the GPO using Vista GPMC



Computer                     Set client connection       (Not Applicable)   Enabled:High       CCE-397    HKLM\SOFTWARE\Policies\Microsoft\Win    Specifies whether to require the use of a specific encryption level to secure
Configuration\Administrative encryption level                               Level                         dows NT\Terminal                        communications between clients and terminal servers during Remote
                                                                                                                                                  Desktop Protocol (RDP) connections.
Templates\Windows                                                                                         Services!MinEncryptionLevel             If you enable this setting, all communications between clients and terminal
Components\Terminal                                                                                                                               servers during remote connections must use the encryption method specified
Services\Encryption and                                                                                                                           in this setting. By default, the encryption level is set to High. The following
Security                                                                                                                                          encryption methods are available:
                                                                                                                                                  -High: The High setting encrypts data sent from the client to the server and
                                                                                                                                                  from the server to the client by using strong 128-bit encryption. Use this
                                                                                                                                                  encryption level in environments that contain only 128-bit clients (for example,
                                                                                                                                                  clients that run Remote Desktop Connection). Clients that do not support this
                                                                                                                                                  encryption level cannot connect to terminal servers.
                                                                                                                                                  -Client Compatible: The Client Compatible setting encrypts data sent between
                                                                                                                                                  the client and the server at the maximum key strength supported by the client.
                                                                                                                                                  Use this encryption level in environments that include clients that do not
                                                                                                                                                  support 128-bit encryption.
                                                                                                                                                  -Low: The Low setting encrypts only data sent from the client to the server
                                                                                                                                                  using 56-bit encryption.
                                                                                                                                                  If you disable or do not configure this setting, the encryption level to be used
                                                                                                                                                  for remote connections to terminal servers is not enforced through Group
Computer                     Do not allow passwords to   Enabled            (Not Applicable)   CCE-976    HKLM\SOFTWARE\Policies\Microsoft\Win    Controls whether passwords can be saved on encryption level for these
                                                                                                                                                  Policy. However, you can configure a required this computer from Terminal
Configuration\Administrative be saved                                                                     dows NT\Terminal                        Services clients. If you enable this setting the password saving checkbox in
                                                                                                                                                  Terminal Services clients will be disabled and users will no longer be able to
Templates\Windows                                                                                         Services!DisablePasswordSaving          save passwords. When a user opens an RDP file using the Terminal
Components\Terminal                                                                                                                               Services client and saves his settings, any password that previously existed
Services\Remote Desktop                                                                                                                           in the RDP file will be deleted. If you disable this setting or leave it not
Connection Client                                                                                                                                 configured, the user will be able to save passwords using the Terminal
                                                                                                                                                  Services client.
Computer                     Set time limit for             (Not Applicable)    Enabled: 1 minute CCE-920    HKLM\SOFTWARE\Policies\Microsoft\Win      This policy setting allows you to configure a time limit for disconnected
Configuration\Administrative disconnected sessions                                                           dows NT\Terminal                          Terminal Services sessions. You can use this policy setting to specify the
                                                                                                                                                       maximum amount of time that a disconnected session is kept active on the
Templates\Windows                                                                                            Services!MaxDisconnectionTime             server. By default, Terminal Services allows users to disconnect from a
Components\Terminal                                                                                                                                    remote session without logging off and ending the session. When a session
Services\Session                                                                                                                                       is in a disconnected state, running programs are kept active even though the
                                                                                                                                                       user is no longer actively connected. By default, these disconnected sessions
                                                                                                                                                       are maintained for an unlimited time on the server. If you enable this policy
                                                                                                                                                       setting, disconnected sessions are deleted from the server after the specified
                                                                                                                                                       amount of time. To enforce the default behavior that disconnected sessions
                                                                                                                                                       are maintained for an unlimited time, select “Never”. If you have a console
                                                                                                                                                       session, disconnected session time limits do not apply. If you disable or do
                                                                                                                                                       not configure this policy setting, disconnected sessions are maintained for an
                                                                                                                                                       unlimited time. You can specify time limits for disconnected sessions on the
                                                                                                                                                       Sessions tab in the Terminal Services Configuration tool.
                                                                                                                                                       Note: This policy setting appears in both Computer Configuration and User
                                                                                                                                                       Configuration. If both policy settings are configured, the Computer
                                                                                                                                                       Configuration policy setting takes precedence.

Computer                     Set a time limit for active but (Not Applicable)   Enabled: 15        CCE-123   HKLM\Software\Policies\Microsoft\Window   This policy setting allows you to specify the maximum amount of time that an
Configuration\Administrative idle Terminal Services                             minutes                      s NT\Terminal                             active Terminal Services session can be idle (without user input) before it is
                                                                                                                                                       automatically disconnected. If you enable this policy setting, you must select
Templates\Windows            sessions                                                                        Services!MaxDisconnectionTime             the desired time limit in the Idle session limit drop-down list. Terminal
Components\Terminal                                                                                                                                    Services will automatically disconnect active but idle sessions after the
Services\Session                                                                                                                                       specified amount of time. The user receives a warning two minutes before the
                                                                                                                                                       session disconnects, which allows the user to press a key or move the mouse
                                                                                                                                                       to keep the session active. If you have a console session, idle session time
                                                                                                                                                       limits do not apply. If you disable or do not configure this policy setting,
                                                                                                                                                       Terminal Services allows sessions to remain active but idle for an unlimited
                                                                                                                                                       time. You can specify time limits for active but idle sessions on the Sessions
                                                                                                                                                       tab in the Terminal Services Configuration tool. If you want Terminal Services
                                                                                                                                                       to terminate—instead of disconnect—a session when the time limit is
                                                                                                                                                       reached, you can configure the “Computer Configuration\Administrative
                                                                                                                                                       Templates\Windows Components\Terminal Services\Terminal Server\Session
                                                                                                                                                       Time Limits\Terminate session when time limits are reached” policy setting.
                                                                                                                                                       Note: This policy setting appears in both Computer Configuration and User
                                                                                                                                                       Configuration. If both policy settings are configured, the Computer
Computer                     Do not allow drive             Enabled             (Not Applicable)   CCE-648   HKLM\SOFTWARE\Policies\Microsoft\Win      Configuration policy setting takesmapping of client drives in a Terminal
                                                                                                                                                       Specifies whether to prevent the precedence.
Configuration\Administrative redirection                                                                     dows NT\Terminal Services!fDisableCdm     Services session (drive redirection). By default, Terminal Services maps
                                                                                                                                                       client drives automatically upon connection. Mapped drives appear in the
Templates\Windows                                                                                                                                      session folder tree in Windows Explorer or My Computer in the format
Components\Terminal                                                                                                                                    <driveletter> on <computername>. You can use this setting to override this
Services\Terminal                                                                                                                                      behavior. If the status is set to Enabled, client drive redirection is not allowed
Server\Device and Resource                                                                                                                             in Terminal Services sessions. If the status is set to Disabled, client drive
Redirection                                                                                                                                            redirection is always allowed. If the status is set to Not Configured, client
                                                                                                                                                       drive redirection is not specified at the Group Policy level. However, an
                                                                                                                                                       administrator can still disable client drive redirection by using the Terminal
                                                                                                                                                       Services Configuration tool.
Computer                     Always prompt client for   Enabled           (Not Applicable)   CCE-855   HKLM\SOFTWARE\Policies\Microsoft\Win    Specifies whether Terminal Services always prompts the client for a
Configuration\Administrative password upon connection                                                  dows NT\Terminal                        password upon connection. You can use this setting to enforce a password
                                                                                                                                               prompt for users logging on to Terminal Services, even if they already
Templates\Windows                                                                                      Services!fPromptForPassword             provided the password in the Remote Desktop Connection client. By default,
Components\Terminal                                                                                                                            Terminal Services allows users to automatically log on by entering a
Services\Terminal                                                                                                                              password in the Remote Desktop Connection client. If the status is set to
Server\Security                                                                                                                                Enabled, users cannot automatically log on to Terminal Services by supplying
                                                                                                                                               their passwords in the Remote Desktop Connection client. They are prompted
                                                                                                                                               for a password to log on. If the status is set to Disabled, users can always log
                                                                                                                                               on to Terminal Services automatically by supplying their passwords in the
                                                                                                                                               Remote Desktop Connection client. If the status is set to Not Configured,
                                                                                                                                               automatic logon is not specified at the Group Policy level. However, an
                                                                                                                                               administrator can still enforce password prompting by using the Terminal
                                                                                                                                               Services Configuration tool.




Computer                     Set client connection      Enabled:High      (Not Applicable)   CCE-397   HKLM\SOFTWARE\Policies\Microsoft\Win    Specifies whether to require the use of a specific encryption level to secure
Configuration\Administrative encryption level           Level                                          dows NT\Terminal                        communications between clients and terminal servers during Remote
                                                                                                                                               Desktop Protocol (RDP) connections. If you enable this setting, all
Templates\Windows                                                                                      Services!MinEncryptionLevel             communications between clients and terminal servers during remote
Components\Terminal                                                                                                                            connections must use the encryption method specified in this setting. By
Services\Terminal                                                                                                                              default, the encryption level is set to High. The following encryption methods
Server\Security                                                                                                                                are available:
                                                                                                                                               -High: The High setting encrypts data sent from the client to the server and
                                                                                                                                               from the server to the client by using strong 128-bit encryption. Use this
                                                                                                                                               encryption level in environments that contain only 128-bit clients (for example,
                                                                                                                                               clients that run Remote Desktop Connection). Clients that do not support this
                                                                                                                                               encryption level cannot connect to terminal servers.
                                                                                                                                               -Client Compatible: The Client Compatible setting encrypts data sent between
                                                                                                                                               the client and the server at the maximum key strength supported by the client.
                                                                                                                                               Use this encryption level in environments that include clients that do not
                                                                                                                                               support 128-bit encryption.
                                                                                                                                               -Low: The Low setting encrypts only data sent from the client to the server
                                                                                                                                               using 56-bit encryption.
                                                                                                                                               If you disable or do not configure this setting, the encryption level to be used
                                                                                                                                               for remote connections to terminal servers is not enforced through Group
Computer                     Set time limit for         Enabled: 1 minute (Not Applicable)   CCE-855   HKLM\SOFTWARE\Policies\Microsoft\Win    Policy. However, you canyou to specify the maximum amount of time that an
                                                                                                                                               This policy setting allows configure a required encryption level for these
Configuration\Administrative disconnected sessions                                                     dows NT\Terminal Services!MaxIdleTime   active Terminal Services session can be idle (without user input) before it is
                                                                                                                                               automatically disconnected. If you enable this policy setting, you must select
Templates\Windows                                                                                                                              the desired time limit in the Idle session limit drop-down list. Terminal
Components\Terminal                                                                                                                            Services will automatically disconnect active but idle sessions after the
Services\Terminal                                                                                                                              specified amount of time. The user receives a warning two minutes before the
Server\Session Time Limits                                                                                                                     session disconnects, which allows the user to press a key or move the mouse
                                                                                                                                               to keep the session active. If you have a console session, idle session time
                                                                                                                                               limits do not apply. If you disable or do not configure this policy setting,
                                                                                                                                               Terminal Services allows sessions to remain active but idle for an unlimited
                                                                                                                                               time. You can specify time limits for active but idle sessions on the Sessions
                                                                                                                                               tab in the Terminal Services Configuration tool. If you want Terminal Services
                                                                                                                                               to terminate—instead of disconnect—a session when the time limit is
                                                                                                                                               reached, you can configure the “Computer Configuration\Administrative
                                                                                                                                               Templates\Windows Components\Terminal Services\Terminal Server\Session
                                                                                                                                               Time Limits\Terminate session when time limits are reached” policy setting.
                                                                                                                                               Note: This policy setting appears in both Computer Configuration and User
                                                                                                                                               Configuration. If both policy settings are configured, the Computer
                                                                                                                                               Configuration policy setting takes precedence.
Computer                     Sets a time limit for active   Enabled: 15   (Not Applicable)   CCE-920   HKLM\SOFTWARE\Policies\Microsoft\Win             This policy setting allows you to configure a time limit for disconnected
Configuration\Administrative but idle Terminal Services     minutes                                    dows NT\Terminal                                 Terminal Services sessions. You can use this policy setting to specify the
                                                                                                                                                        maximum amount of time that a disconnected session is kept active on the
Templates\Windows            sessions                                                                  Services!MaxDisconnectionTime                    server. By default, Terminal Services allows users to disconnect from a
Components\Terminal                                                                                                                                     remote session without logging off and ending the session. When a session
Services\Terminal                                                                                                                                       is in a disconnected state, running programs are kept active even though the
Server\Session Time Limits                                                                                                                              user is no longer actively connected. By default, these disconnected sessions
                                                                                                                                                        are maintained for an unlimited time on the server. If you enable this policy
                                                                                                                                                        setting, disconnected sessions are deleted from the server after the specified
                                                                                                                                                        amount of time. To enforce the default behavior that disconnected sessions
                                                                                                                                                        are maintained for an unlimited time, select “Never”. If you have a console
                                                                                                                                                        session, disconnected session time limits do not apply. If you disable or do
                                                                                                                                                        not configure this policy setting, disconnected sessions are maintained for an
                                                                                                                                                        unlimited time. You can specify time limits for disconnected sessions on the
                                                                                                                                                        Sessions tab in the Terminal Services Configuration tool.
                                                                                                                                                        Note: This policy setting appears in both Computer Configuration and User
                                                                                                                                                        Configuration. If both policy settings are configured, the Computer
                                                                                                                                                        Configuration policy setting takes precedence.

Computer                     Configure Microsoft Spynet     Disabled      (Not Applicable)   CCE-312   HKLM\Software\Policies\Microsoft\Window Adjusts membership in Microsoft SpyNet.
Configuration\Administrative Reporting                                                                 s Defender\SpyNet!SpyNetReporting       Microsoft SpyNet is the online community that helps you choose how to
                                                                                                                                                        respond to potential spyware threats. The community also helps stop the
Templates\Windows                                                                                                                                       spread of new spyware infections. Here's how it works. When Windows
Components\Windows                                                                                                                                      Defender detects software or changes by software not yet classified for risks,
Defender                                                                                                                                                you see how other members responded to the alert. In turn, the action you
                                                                                                                                                        apply help other members choose how to respond. Your actions also help
                                                                                                                                                        Microsoft choose which software to investigate for potential threats. You can
                                                                                                                                                        choose to send basic or additional information about detected software.
                                                                                                                                                        Additional information helps improve how Windows Defender works. It can
                                                                                                                                                        include, for example, the location of detected items on your computer if
                                                                                                                                                        harmful software has been removed. Windows Defender will automatically
                                                                                                                                                        collect and send the information. If you enable this policy setting and choose
                                                                                                                                                        "No Membership" from the drop-down list, SpyNet membership will be
                                                                                                                                                        disabled. At this setting, no information will be sent to Microsoft. You will not
                                                                                                                                                        be alerted if Windows Defender detects unclassified software running on your
                                                                                                                                                        computer. Local users will not be able to change their SpyNet membership. If
                                                                                                                                                        you enable this policy setting and choose "Basic" from the drop-down list,
Computer                     Disable Logging                Disabled      (Not Applicable)   CCE-959   HKLM\SOFTWARE\Policies\Microsoft\Win             SpyNet membership is set to "Basic". AtReporting events will not be logged to
                                                                                                                                                        If this setting is enabled Windows Error this setting, basic information about
Configuration\Administrative                                                                           dows\Windows Error                               the system event log.
Templates\Windows                                                                                      Reporting!LoggingDisabled
Components\Windows Error
Reporting
Computer                     Disable Windows Error          Enabled       (Not Applicable)   CCE-803   HKLM\SOFTWARE\Policies\Microsoft\Win If this setting is enabled, Windows Error Reporting will not send any problem
Configuration\Administrative Reporting                                                                 dows\Windows Error Reporting!Disabled information to Microsoft. Additionally, solution information will not be available
                                                                                                                                                        in the Problem Reports and Solutions control panel. See also Computer
Templates\Windows                                                                                                                                       Configuration | Administrative Templates | System | Internet Communication
Components\Windows Error                                                                                                                                Management | Internet Communications Settings | Turn off Windows Error
Reporting                                                                                                                                               Reporting
Computer                     Display Error Notification      Disabled   (Not Applicable)   CCE-259   HKLM\Software\Policies\Microsoft\PCHealt         Use this setting to control whether or not a user is given the choice to report
Configuration\Administrative                                                                         h\ErrorReporting!ShowUI,                         an error. When Display Error Notification is enabled, the user will be notified
                                                                                                                                                      that an error has occurred and will be given access to details about the error.
Templates\Windows                                                                                    HKLM\Software\Policies\Microsoft\PCHealt         If the Configure Error Reporting setting is also enabled, the user will also be
Components\Windows Error                                                                             h\ErrorReporting\DW!DWAllowHeadless              given the choice of whether to report the error. When Display Error
Reporting                                                                                                                                             Notification is not enabled, the user will not be given the choice of whether to
                                                                                                                                                      report the error. If the Configure Error Reporting setting is enabled, the error
                                                                                                                                                      will be automatically reported, but the user will not be notified that an error
                                                                                                                                                      has occurred. Disabling this setting is useful for server machines that do not
                                                                                                                                                      have interactive users. If you do not configure this setting, the user will be
                                                                                                                                                      able to adjust the setting via the control panel, which is set to 'enable
                                                                                                                                                      notification' by default on Windows XP Personal and Windows XP
                                                                                                                                                      Professional machines and 'disable notification' on servers.
                                                                                                                                                      Also, see the "Configure Error Reporting" policy.


Computer                       Do not send additional data   Enabled    (Not Applicable)   CCE-798   HKLM\SOFTWARE\Policies\Microsoft\Win If this setting is enabled any additional data requests from Microsoft in
Configuration\Administrative                                                                         dows\Windows Error                   response to a Windows Error Reporting event will be automatically declined
                                                                                                                                          without notice to the user.
Templates\Windows                                                                                    Reporting!DontSendAdditionalData
Components\Windows Error
Reporting
Computer                       Turn off heap termination on Disabled    (Not Applicable)   CCE-384   HKLM\Software\Policies\Microsoft\Window Disabling heap termination on corruption can allow certain legacy plug-in
Configuration\Administrative   corruption                                                            s\Explorer!NoHeapTerminationOnCorruptio applications to function without terminating Explorer immediately, although
                                                                                                                                             Explorer may still terminate unexpectedly later.
Templates\Windows                                                                                    n
Components\Windows
Explorer
Computer                       Turn off shell protocol       Disabled   Disabled           CCE-480   HKLM\Software\Microsoft\Windows\Current          This policy setting allows you to configure the amount of functionality that the
Configuration\Administrative   protected mode                                                        Version\Policies\Explorer!PreXPSP2ShellP         shell protocol can have. When using the full functionality of this protocol,
                                                                                                                                                      applications can open folders and launch files. The protected mode reduces
Templates\Windows                                                                                    rotocolBehavior                                  the functionality of this protocol allowing applications to only open a limited set
Components\Windows                                                                                                                                    of folders. Applications are not able to open files with this protocol when it is in
Explorer                                                                                                                                              the protected mode. It is recommended to leave this protocol in the protected
                                                                                                                                                      mode to increase the security of Windows. If you enable this policy setting
                                                                                                                                                      the protocol is fully enabled, allowing the opening of folders and files.
                                                                                                                                                      If you disable this policy setting the protocol is in the protected mode, allowing
                                                                                                                                                      applications to only open a limited set of folders. If you do not configure this
                                                                                                                                                      policy setting the protocol is in the protected mode, allowing applications to
                                                                                                                                                      only open a limited set of folders.


Computer                     Disable IE security prompt    Disabled     Disabled           CCE-261   HKLM\Software\Policies\Microsoft\Window Allows Web-based programs to install software on the computer without
Configuration\Administrative for Windows Installer scripts                                           s\Installer!SafeForScripting            notifying the user. By default, when a script hosted by an Internet browser
                                                                                                                                                      tries to install a program on the system, the system warns users and allows
Templates\Windows                                                                                                                                     them to select or refuse the installation. This setting suppresses the warning
Components\Windows                                                                                                                                    and allows the installation to proceed. This setting is designed for enterprises
Installer                                                                                                                                             that use Web-based tools to distribute programs to their employees.
                                                                                                                                                      However, because this setting can pose a security risk, it should be applied
                                                                                                                                                      cautiously.
Computer                     Enable user control over   Disabled   Disabled           CCE-415    HKLM\Software\Policies\Microsoft\Window Permits users to change installation options that typically are available only to
Configuration\Administrative installs                                                            s\Installer!EnableUserControl           system administrators. This setting bypasses some of the security features of
                                                                                                                                                   Windows Installer. It permits installations to complete that otherwise would be
Templates\Windows                                                                                                                                  halted due to a security violation. The security features of Windows Installer
Components\Windows                                                                                                                                 prevent users from changing installation options typically reserved for system
Installer                                                                                                                                          administrators, such as specifying the directory to which files are installed. If
                                                                                                                                                   Windows Installer detects that an installation package has permitted the user
                                                                                                                                                   to change a protected option, it stops the installation and displays a message.
                                                                                                                                                   These security features operate only when the installation program is running
                                                                                                                                                   in a privileged security context in which it has access to directories denied to
                                                                                                                                                   the user. This setting is designed for less restrictive environments. It can be
                                                                                                                                                   used to circumvent errors in an installation program that prevents software
                                                                                                                                                   from being installed.




Computer                     Prohibit non-administrators Enabled   Enabled            CCE-612    HKLM\Software\Policies\Microsoft\Window This setting controls the ability of non-administrators to install updates that
Configuration\Administrative from applying vendor signed                                         s\Installer!DisableLUAPatching          have been digitally signed by the application vendor. Non-administrator
                                                                                                                                                   updates provide a mechanism for the author of an application to create
Templates\Windows            updates                                                                                                               digitally signed updates that can be applied by non-privileged users. If you
Components\Windows                                                                                                                                 enable this policy setting, only administrators or users with administrative
Installer                                                                                                                                          privileges can apply updates to Windows Installer based application. If you
                                                                                                                                                   disable this policy setting, users without administrative privileges will be able
                                                                                                                                                   to install non-administrator updates.


Computer                     Report when logon server   Enabled    (Not Applicable)   CCE-392    HKLM\Software\Microsoft\Windows\Current           This policy controls whether the logged on user should be notified if the logon
Configuration\Administrative was not available during                                            Version\Policies\System!ReportControllerM         server could not be contacted during logon and he has been logged on using
                                                                                                                                                   previously stored account information. If enabled, a notification popup will be
Templates\Windows            user logon                                                          issing                                            displayed to the user when the user logs on with cached credentials. If
Components\Windows                                                                                                                                 disabled or not configured, no popup will be displayed to the user.
Logon Options
Computer                     Turn off the communities   Enabled    (Not Applicable)   CCE-96     HKLM\SOFTWARE\Policies\Microsoft\Win Windows Mail will not check your newsgroup servers for Communities
Configuration\Administrative features                                                            dows Mail!DisableCommunities         support.

Templates\Windows
Components\Windows Mail

Computer                     Turn off Windows Mail      Enabled    (Not Applicable)   CCE-331    HKLM\SOFTWARE\Policies\Microsoft\Win Denies or allows access to the Windows Mail application. If you enable this
Configuration\Administrative application                                                         dows Mail!ManualLaunchAllowed        setting, access to the Windows Mail application is denied. If you disable or do
                                                                                                                                                   not configure this setting, access to the Windows Mail application is allowed.
Templates\Windows
Components\Windows Mail

Computer                     Prevent Windows Media      Enabled    Not Configured     CCE-1089   HKLM\Software\Policies\Microsoft\WMDR             Prevents Windows Media Digital Rights Management (DRM) from accessing
Configuration\Administrative DRM Internet Access                                                 M!DisableOnline                                   the Internet (or intranet). When enabled, Windows Media DRM is prevented
                                                                                                                                                   from accessing the Internet (or intranet) for license acquisition and security
Templates\Windows                                                                                                                                  upgrades. When this policy is enabled, programs are not able to acquire
Components\Windows                                                                                                                                 licenses for secure content, upgrade Windows Media DRM security
Media Digital Rights                                                                                                                               components, or restore backed up content licenses. Secure content that is
Management                                                                                                                                         already licensed to the local computer will continue to play. Users are also
                                                                                                                                                   able to protect music that they copy from a CD and play this protected content
                                                                                                                                                   on their computer, since the license is generated locally in this scenario.
                                                                                                                                                   When this policy is either disabled or not configured, Windows Media DRM
                                                                                                                                                   functions normally and will connect to the Internet (or intranet) to acquire
                                                                                                                                                   licenses, download
Computer                     Do Not Show First Use        Enabled          Enabled            CCE-1140   HKLM\Software\Policies\Microsoft\Window This policy prevents the Privacy Options and Installation Options dialog boxes
Configuration\Administrative Dialog Boxes                                                                sMediaPlayer!GroupPrivacyAcceptance     from being displayed the first time a user starts Windows Media Player.
                                                                                                                                                          This policy prevents the dialog boxes which allow users to select privacy, file
Templates\Windows                                                                                                                                         types, and other desktop options from being displayed when the Player is first
Components\Windows                                                                                                                                        started. Some of the options can be configured by using other Windows
Media Player                                                                                                                                              Media Player group policies. When this policy is not configured or disabled,
                                                                                                                                                          the dialog boxes are displayed when the user starts the Player for the first
                                                                                                                                                          time.


Computer                     Prevent Automatic Updates    Enabled          Enabled            CCE-455    HKLM\Software\Policies\Microsoft\Window This policy prevents the Player from being updated and prevents users with
Configuration\Administrative                                                                             sMediaPlayer!DisableAutoUpdate          administrator rights from being prompted to update the Player if an updated
                                                                                                                                                          version is available. The Check for Player Updates command on the Help
Templates\Windows                                                                                                                                         menu in the Player is not available. In addition, none of the time intervals in
Components\Windows                                                                                                                                        the Check for updates section on the Player tab are selected or available.
Media Player                                                                                                                                              When this policy is not configured or disabled, Check for Player Updates is
                                                                                                                                                          available only to users with administrator rights and they may be prompted to
                                                                                                                                                          update the Player if an updated version is available. By default, users with
                                                                                                                                                          administrator rights can select how frequently updates are checked for.
                                                                                                                                                          Users without administrator rights do not see Check for Player Updates and
                                                                                                                                                          are never prompted to update the Player even without this policy.




Computer                       Prevent Desktop Shortcut   Not Configured   Not Configured     CCE-313    HKLM\Software\Policies\Microsoft\Window This policy prevents a shortcut icon for the Player from being added to the
Configuration\Administrative   Creation                                                                  sMediaPlayer!DesktopShortcut            user's desktop. When this policy is not configured or disabled, users can
                                                                                                                                                          choose whether to add the Player shortcut icon to their desktops.
Templates\Windows
Components\Windows
Media Player
Computer                       Turn off Windows Meeting       Enabled      (Not Applicable)   CCE-992    HKLM\Software\Policies\Microsoft\Window          Windows Meeting Space is a feature that enables quick, face-to-face
Configuration\Administrative   Space                                                                     s\Windows                                        collaboration for sharing programs and handouts and for passing notes.
                                                                                                                                                          If you enable this setting, Windows Meeting Space will be turned off.
Templates\Windows                                                                                        Collaboration!TurnOffWindowsCollaboratio         If you disable or do not configure this setting, Windows Meeting Space will be
Components\Windows                                                                                       n                                                turned on. The default setting is for Windows Meeting Space to be turned on.
Meeting Space                                                                                                                                             Windows Meeting Space is a feature that enables quick, face-to-face
                                                                                                                                                          collaboration for sharing programs and handouts and for passing notes.
                                                                                                                                                          If you enable this setting, Windows Meeting Space will audit various events
                                                                                                                                                          that occur during a session (for example, when a user creates a session,
                                                                                                                                                          joins a session, or starts a presentation) in the event log. If you disable or do
                                                                                                                                                          not configure this setting, Windows Meeting Space auditing will be turned off.
                                                                                                                                                          The default setting is for Windows Meeting Space auditing to be turned off.




Computer                     Do not allow Windows         Enabled          Enabled            CCE-802    HKLM\Software\Policies\Microsoft\Messeng Allows you to disable Windows Messenger. If you enable this setting,
Configuration\Administrative Messenger to be run                                                         er\Client!PreventRun                     Windows Messenger will not run. If you disable or do not configure this
                                                                                                                                                          setting, Windows Messenger can be used. Note: If you enable this setting,
Templates\Windows                                                                                                                                         Remote Assistance also cannot use Windows Messenger. Note: This setting
Components\Windows                                                                                                                                        is available under both Computer Configuration and User Configuration. If
Messenger                                                                                                                                                 both are present, the Computer Configuration version of this setting takes
                                                                                                                                                          precedence.
Computer                     Do not automatically start  Enabled              Enabled            CCE-309    HKLM\Software\Policies\Microsoft\Messeng Windows Messenger is automatically loaded and running when a user logs on
Configuration\Administrative Windows Messenger initially                                                    er\Client!PreventAutoRun                 to a Windows XP computer. You can use this setting to stop Windows
                                                                                                                                                           Messenger from automatically being run at logon. If you enable this setting,
Templates\Windows                                                                                                                                          Windows Messenger will not be loaded automatically when a user logs on.
Components\Windows                                                                                                                                         If you disable or do not configure this setting, the Windows Messenger will be
Messenger                                                                                                                                                  loaded automatically at logon. Note: This setting simply prevents Windows
                                                                                                                                                           Messenger from running initially. If the user invokes and uses Windows
                                                                                                                                                           Messenger from that point on, Windows Messenger will be loaded. The user
                                                                                                                                                           can also configure this behavior on the Preferences tab on the Tools menu in
                                                                                                                                                           the Windows Messenger user interface. Note: If you do not want users to
                                                                                                                                                           use Windows Messenger, enable the "Do not allow Windows Messenger to
                                                                                                                                                           run" setting.
                                                                                                                                                           Note: This setting is available under both Computer Configuration and User
                                                                                                                                                           Configuration. If both are present, the Computer Configuration version of this
                                                                                                                                                           setting takes precedence.




Computer                     Disable unpacking and          Enabled           (Not Applicable)   CCE-297    HKLM\Software\Microsoft\Windows\Current        Sidebar gadgets can be deployed as compressed files, either digitally signed
Configuration\Administrative installation of gadgets that                                                   Version\Policies\Windows\Sidebar!TurnOff       or unsigned. If you enable this setting, Windows Sidebar will not extract any
                                                                                                                                                           gadgets that have not been digitally signed. If you disable or do not configure
Templates\Windows            are not digitally signed.                                                      UnsignedGadgets                                this setting, Windows Sidebar will extract both signed and unsigned gadgets.
Components\Windows                                                                                                                                         The default is for Windows Sidebar to extract both signed and unsigned
Sidebar                                                                                                                                                    gadgets.


Computer                     Override the More Gadgets      Enabled           (Not Applicable)   CCE-702    HKLM\Software\Microsoft\Windows\Current        The Windows Sidebar contains a link to allow users to download more
Configuration\Administrative Link                                                                           Version\Policies\Windows\Sidebar!Overrid       gadgets from a website. Microsoft hosts a default website where many gadget
                                                                                                                                                           authors can post their gadgets. This link can be redirected to a website where
Templates\Windows                                                                                           eMoreGadgetsLink                               alternate gadgets should be available. If you enable this setting, the Gadget
Components\Windows                                                                                                                                         Gallery in the Windows Sidebar will direct users to the alternate web site. If
Sidebar                                                                                                                                                    you disable or do not configure this setting, Windows Sidebar will direct users
                                                                                                                                                           to the default web site. The default is for Windows Sidebar to direct users to
                                                                                                                                                           the default web site.


Computer                     Turn Off User Installed        Enabled           (Not Applicable)   CCE-644    HKLM\Software\Microsoft\Windows\Current        The Windows Sidebar will run gadgets that are located in the profile space of
Configuration\Administrative Windows Sidebar Gadgets                                                        Version\Policies\Windows\Sidebar!TurnOff       the user. Gadgets are small applets that are run by the Windows Sidebar on
                                                                                                                                                           the Sidebar or on the desktop. If you enable this setting, Windows Sidebar
Templates\Windows                                                                                           UserInstalledGadgets                           will not run any user installed gadgets. If you disable or do not configure this
Components\Windows                                                                                                                                         setting, Windows Sidebar will run user installed gadgets. The default is for
Sidebar                                                                                                                                                    Windows Sidebar to run user installed gadgets.


Computer                      IPv6 Block of Protocols 41    General: Enabled (Not Applicable)    CCE-1795                                                  Windows Firewall Outbound Rules to block IPv6 transitional technologies
Configuration\Windows                                       and Block the
Settings\Security                                           connections;
Settings\Windows Firewall                                   Programs and
with Advanced                                               Services: All
Security\Windows Firewall                                   programs that
with Advanced                                               meet the specified
Security\Outbound Rules                                     conditions;
                                                            Protocols and
                                                            Ports: Protocols
                                                            type IPv6; Scope:
                                                            Any IP addresses;
                                                            Advanced: All
                                                            profiles
Computer                    IPv6 Block of UDP 3544   General: Enabled (Not Applicable)    CCE-1293   Windows Firewall Outbound Rules to block IPv6 transitional technologies
Configuration\Windows                                and Block the
Settings\Security                                    connections;
Settings\Windows Firewall                            Programs and
with Advanced                                        Services: All
Security\Windows Firewall                            programs that
with Advanced                                        meet the specified
Security\Outbound Rules                              conditions;
                                                     Protocols and
                                                     Ports: Protocols
                                                     type UDP, Local
                                                     port 3544, Remote
                                                     port All Ports ;
                                                     Scope: Any IP
                                                     addresses;
                                                     Advanced: All
                                                     profiles


Computer                    Log dropped packets      Yes               (Not Applicable)   CCE-251    Enter a log file name, ensuring the Windows Firewall service account has
Configuration\Windows                                                                                write permission to the folder and file name defined here.

Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Logging
Computer                    Logged successful        Yes               (Not Applicable)   CCE-617    Use this option to log when Windows Firewall with Advanced Security
Configuration\Windows       connections                                                              discards an inbound packet for any reason. The log will detail why and when
                                                                                                     the packet was dropped.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Logging
Computer                    Name                     %windir%\system3 (Not Applicable)    CCE-793    Use this option to log when Windows Firewall with Advanced Security allows
Configuration\Windows                                2\logfiles\firewall\d                           an inbound connection. The log will detail why and when the connection was
                                                                                                     formed.
Settings\Security                                    omainfirewall
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Logging
Computer                    Size limit (KB)              16,384          (Not Applicable)   CCE-57     Maximum size for the firewall log file.
Configuration\Windows
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Logging
Computer                    Display a notification       Yes (default)   (Not Applicable)   CCE-1047   Select this option to have Windows Firewall with Advanced Security display
Configuration\Windows                                                                                  notifications to the user when a program is blocked from receiving inbound
                                                                                                       connections.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Settings\Firewall
settings
Computer                    Apply local connection       No              (Not Applicable)   CCE-584    Select this option when, in addition to connection security rules applied by
Configuration\Windows       security rules                                                             Group Policy that are specific to this computer, you want to allow
                                                                                                       administrators to create connection security rules on this computer. When
Settings\Security                                                                                      this option is cleared, administrators can still create rules, but the rules will not
Settings\Windows Firewall                                                                              be applied. This setting is applied via the FDCC_VISTA_FIREWALL GPO. It
with Advanced                                                                                          is seperate than the "Group Policy" CCE of the same number
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Settings\Rule merging
Computer                    Apply local firewall rules   No              (Not Applicable)   CCE-400    Select this option when, in addition to firewall rules applied by Group Policy
Configuration\Windows                                                                                  that are specific to this computer, you want to allow administrators to create
                                                                                                       firewall rules on this computer. When you clear this option, administrators can
Settings\Security                                                                                      still create rules, but the rules will not be applied. This setting is available only
Settings\Windows Firewall                                                                              when configuring the policy through Group Policy.
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\Settings\Rule merging
Computer                    Allow unicast response       No              (Not Applicable)   CCE-696    This option is useful if you need to control whether this computer receives
Configuration\Windows                                                                                  unicast responses to its outgoing multicast or broadcast messages. If you
                                                                                                       enable this setting, and this computer sends multicast or broadcast messages
Settings\Security                                                                                      to other computers, Windows Firewall with Advanced Security waits as long
Settings\Windows Firewall                                                                              as three seconds for unicast responses from the other computers and then
with Advanced                                                                                          blocks all later responses. If you disable this setting, and this computer sends
Security\Windows Firewall                                                                              a multicast or broadcast message to other computers, Windows Firewall with
with Advanced                                                                                          Advanced Security blocks the unicast responses sent by those other
                                                                                                       computers.
Security\Windows Firewall
Properties\Domain Profile
Tab\Settings\Unicast
response
Computer                     Firewall State         On                (Not Applicable)   CCE-806   Whether the firewall is on or off for this particular profile
Configuration\Windows                               (recommended)
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\State
Computer                     Inbound connections    Block (default)   (Not Applicable)   CCE-249   Whether the firewall controls inbound connections. By default inbound
Configuration\Windows                                                                              connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\State
Computer                     Outbound connections   Allow (default)   (Not Applicable)   CCE-485   Whether the firewall controls outbound connections. By default inbound
Configuration\Windows                                                                              connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Domain Profile
Tab\State
Computer                     Log dropped packets    Yes               (Not Applicable)   CCE-325   Enter a log file name, ensuring the Windows Firewall service account has
Configuration\Windows                                                                              write permission to the folder and file name defined here.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Logging
Computer                     Logged successful      Yes               (Not Applicable)   CCE-327   Use this option to log when Windows Firewall with Advanced Security
Configuration\Windows        connections                                                           discards an inbound packet for any reason. The log will detail why and when
                                                                                                   the packet was dropped.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Logging
Computer                     Name                         %windir%\system3 (Not Applicable)    CCE-999    Use this option to log when Windows Firewall with Advanced Security allows
Configuration\Windows                                     2\logfiles\firewall\p                           an inbound connection. The log will detail why and when the connection was
                                                                                                          formed.
Settings\Security                                         rivatefirewall
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Logging
Computer                     Size limit (KB)              16,384            (Not Applicable)   CCE-1091   Maximum size for the firewall log file.
Configuration\Windows
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Logging
Computer                     Display a notification       Yes (default)     (Not Applicable)   CCE-38     Select this option to have Windows Firewall with Advanced Security display
Configuration\Windows                                                                                     notifications to the user when a program is blocked from receiving inbound
                                                                                                          connections.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Settings\Firewall
settings
Computer                     Apply local connection       No                (Not Applicable)   CCE-199    Select this option when, in addition to connection security rules applied by
Configuration\Windows        security rules                                                               Group Policy that are specific to this computer, you want to allow
                                                                                                          administrators to create connection security rules on this computer. When
Settings\Security                                                                                         this option is cleared, administrators can still create rules, but the rules will not
Settings\Windows Firewall                                                                                 be applied.
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Settings\Rule merging
Computer                     Apply local firewall rules   No                (Not Applicable)   CCE-117    Select this option when, in addition to firewall rules applied by Group Policy
Configuration\Windows                                                                                     that are specific to this computer, you want to allow administrators to create
                                                                                                          firewall rules on this computer. When you clear this option, administrators can
Settings\Security                                                                                         still create rules, but the rules will not be applied. This setting is available only
Settings\Windows Firewall                                                                                 when configuring the policy through Group Policy.
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\Settings\Rule merging
Computer                     Allow unicast response   No                (Not Applicable)   CCE-70     This option is useful if you need to control whether this computer receives
Configuration\Windows                                                                                 unicast responses to its outgoing multicast or broadcast messages. If you
                                                                                                      enable this setting, and this computer sends multicast or broadcast messages
Settings\Security                                                                                     to other computers, Windows Firewall with Advanced Security waits as long
Settings\Windows Firewall                                                                             as three seconds for unicast responses from the other computers and then
with Advanced                                                                                         blocks all later responses. If you disable this setting, and this computer sends
Security\Windows Firewall                                                                             a multicast or broadcast message to other computers, Windows Firewall with
with Advanced                                                                                         Advanced Security blocks the unicast responses sent by those other
                                                                                                      computers.
Security\Windows Firewall
Properties\Private Profile
Tab\Settings\Unicast
response
Computer                     Firewall State           On                (Not Applicable)   CCE-7      Whether the firewall is on or off for this particular profile
Configuration\Windows                                 (recommended)
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\State
Computer                     Inbound connections      Block (default)   (Not Applicable)   CCE-29     Whether the firewall controls inbound connections. By default inbound
Configuration\Windows                                                                                 connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\State
Computer                     Outbound connections     Allow (default)   (Not Applicable)   CCE-32     Whether the firewall controls outbound connections. By default inbound
Configuration\Windows                                                                                 connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Private Profile
Tab\State
Computer                     Log dropped packets      Yes               (Not Applicable)   CCE-1165   Enter a log file name, ensuring the Windows Firewall service account has
Configuration\Windows                                                                                 write permission to the folder and file name defined here.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Logging
Computer                    Logged successful        Yes               (Not Applicable)   CCE-534    Use this option to log when Windows Firewall with Advanced Security
Configuration\Windows       connections                                                              discards an inbound packet for any reason. The log will detail why and when
                                                                                                     the packet was dropped.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Logging
Computer                    Name                     %windir%\system3 (Not Applicable)    CCE-1263   Use this option to log when Windows Firewall with Advanced Security allows
Configuration\Windows                                2\logfiles\firewall\p                           an inbound connection. The log will detail why and when the connection was
                                                                                                     formed.
Settings\Security                                    ublicfirewall
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Logging
Computer                    Size limit (KB)          16,384            (Not Applicable)   CCE-1313   Maximum size for the firewall log file.
Configuration\Windows
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Logging
Computer                    Display a notification   Yes (default)     (Not Applicable)   CCE-390    Select this option to have Windows Firewall with Advanced Security display
Configuration\Windows                                                                                notifications to the user when a program is blocked from receiving inbound
                                                                                                     connections.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Settings\Firewall
settings
Computer                    Apply local connection   No                (Not Applicable)   CCE-437    Select this option when, in addition to connection security rules applied by
Configuration\Windows       security rules                                                           Group Policy that are specific to this computer, you want to allow
                                                                                                     administrators to create connection security rules on this computer. When
Settings\Security                                                                                    this option is cleared, administrators can still create rules, but the rules will not
Settings\Windows Firewall                                                                            be applied.
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Settings\Rule merging
Computer                    Apply local firewall rules   No                (Not Applicable)   CCE-421   Select this option when, in addition to firewall rules applied by Group Policy
Configuration\Windows                                                                                   that are specific to this computer, you want to allow administrators to create
                                                                                                        firewall rules on this computer. When you clear this option, administrators can
Settings\Security                                                                                       still create rules, but the rules will not be applied. This setting is available only
Settings\Windows Firewall                                                                               when configuring the policy through Group Policy.
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\Settings\Rule merging
Computer                    Allow unicast response       No                (Not Applicable)   CCE-414   This option is useful if you need to control whether this computer receives
Configuration\Windows                                                                                   unicast responses to its outgoing multicast or broadcast messages. If you
                                                                                                        enable this setting, and this computer sends multicast or broadcast messages
Settings\Security                                                                                       to other computers, Windows Firewall with Advanced Security waits as long
Settings\Windows Firewall                                                                               as three seconds for unicast responses from the other computers and then
with Advanced                                                                                           blocks all later responses. If you disable this setting, and this computer sends
Security\Windows Firewall                                                                               a multicast or broadcast message to other computers, Windows Firewall with
with Advanced                                                                                           Advanced Security blocks the unicast responses sent by those other
                                                                                                        computers.
Security\Windows Firewall
Properties\Public Profile
Tab\Settings\Unicast
response
Computer                    Firewall State               On                (Not Applicable)   CCE-295   Whether the firewall is on or off for this particular profile
Configuration\Windows                                    (recommended)
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\State
Computer                    Inbound connections          Block (default)   (Not Applicable)   CCE-338   Whether the firewall controls inbound connections. By default inbound
Configuration\Windows                                                                                   connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\State
Computer                    Outbound connections         Allow (default)   (Not Applicable)   CCE-342   Whether the firewall controls outbound connections. By default inbound
Configuration\Windows                                                                                   connections are controlled, and outbound are not.
Settings\Security
Settings\Windows Firewall
with Advanced
Security\Windows Firewall
with Advanced
Security\Windows Firewall
Properties\Public Profile
Tab\State
HKEY_LOCAL_MACHINE\S           Disable ISATAP, Teredo,      0x1          (Not Applicable)   CCE-1227,   HKEY_LOCAL_MACHINE\SYSTEM\Curre Registry setting that controls the IPv6 transitional technologies, ISATAP,
YSTEM\CurrentControlSet\S      and 6to4 tunneling protocols                                 CCE-1036,   ntControlSet\Services\tcpip6\Parameters\Di Teredo and 6to4. There is currently no way to apply this setting via GPOs,
                                                                                                                                                   the setting must be editied in the registry
ervices\tcpip6\Parameters\Di                                                                CCE-1148    sableComponents
sableComponents
User                           Password protect the screen Enabled       Enabled            CCE-949     HKCU\Software\Policies\Microsoft\Window          Determines whether screen savers used on the computer are password
Configuration\Administrative   saver                                                                    s\Control                                        protected. If you enable this setting, all screen savers are password
                                                                                                                                                         protected. If you disable this setting, password protection cannot be set on
Templates\Control                                                                                       Panel\Desktop!ScreenSaverIsSecure                any screen saver. This setting also disables the "Password protected" check
Panel\Display                                                                                                                                            box on the Screen Saver tab in Display in Control Panel, preventing users
                                                                                                                                                         from changing the password protection setting. If you do not configure this
                                                                                                                                                         setting, users can choose whether or not to set password protection on each
                                                                                                                                                         screen saver. To ensure that a computer will be password protected, also
                                                                                                                                                         enable the "Screen Saver" setting and specify a timeout via the "Screen
                                                                                                                                                         Saver timeout" setting.
                                                                                                                                                         Note: To remove the Screen Saver tab, use the "Hide Screen Saver tab"
                                                                                                                                                         setting.


User                         Screen Saver timeout          Enabled:900   Enabled:900        CCE-830     HKCU\Software\Policies\Microsoft\Window          Specifies how much user idle time must elapse before the screen saver is
Configuration\Administrative                               seconds                                      s\Control                                        launched. When configured, this idle time can be set from a minimum of 1
                                                                                                                                                         second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the
Templates\Control                                                                                       Panel\Desktop!ScreenSaveTimeOut                  screen saver will not be started.
Panel\Display                                                                                                                                            This setting has no effect under any of the following circumstances:
                                                                                                                                                          - The setting is disabled or not configured.
                                                                                                                                                          - The wait time is set to zero.
                                                                                                                                                          - The "No screen saver" setting is enabled.
                                                                                                                                                          - Neither the "Screen saver executable name" setting nor the Screen Saver
                                                                                                                                                         tab of the client computer's Display Properties dialog box specifies a valid
                                                                                                                                                         existing screensaver program on the client.
                                                                                                                                                         When not configured, whatever wait time is set on the client through the
                                                                                                                                                         Screen Saver tab of the Display Properties dialog box is used. The default is
                                                                                                                                                         15 minutes.

User                         Prompt for password on        Enabled       Enabled            CCE-509     HKCU\Software\Policies\Microsoft\Window          This settings allows you to configure client computers to always lock when
Configuration\Administrative resume from hibernate /                                                    s\System\Power!PromptPasswordOnResu              resuming from a hibernate or suspend. If you enable this setting, the client
                                                                                                                                                         computer is locked when it is resumed from a suspend or hibernate state. If
Templates\System\Power       suspend                                                                    me                                               you disable or do not configure this setting, users can decide if their computer
Management                                                                                                                                               is automatically locked or not after performing a resume operation.


User                         Do not preserve zone          Disabled      Disabled           CCE-12      HKCU\Software\Microsoft\Windows\Current          This policy setting allows you to manage whether Windows marks file
Configuration\Administrative information in file                                                        Version\Policies\Attachments!SaveZoneInf         attachments with information about their zone of origin (i.e. restricted,
                                                                                                                                                         Internet, intranet, local). This requires NTFS in order to function correctly, and
Templates\Windows            attachments                                                                ormation                                         will fail without notice on FAT32. By not preserving the zone information
Components\Attachment                                                                                                                                    Windows cannot make proper risk assessments. If you enable this policy
Manager                                                                                                                                                  setting Windows does not mark file attachments with their zone information.
                                                                                                                                                         If you disable this policy setting Windows marks file attachments with their
                                                                                                                                                         zone information. If you do not configure this policy setting Windows marks
                                                                                                                                                         file attachments with their zone information.


User                         Hide mechanisms to remove Enabled           Enabled            CCE-58      HKCU\Software\Microsoft\Windows\Current          This policy setting allows you to manage whether users can manually remove
Configuration\Administrative zone information                                                           Version\Policies\Attachments!HideZoneInfo        the zone information from saved file attachments by clicking the Unblock
                                                                                                                                                         button in the file’s property sheet or by using a check box in the security
Templates\Windows                                                                                       OnProperties                                     warning dialog. Removing the zone information allows users to open
Components\Attachment                                                                                                                                    potentially dangerous file attachments that Windows has blocked users from
Manager                                                                                                                                                  opening. If you enable this policy setting Windows hides the checkbox and
                                                                                                                                                         Unblock button. If you disable this policy setting Windows shows the
                                                                                                                                                         checkbox and Unblock button. if you do not configure this policy setting
                                                                                                                                                         Windows shows the checkbox and Unblock button.
User                         Notify antivirus programs   Enabled          Enabled          CCE-372    HKCU\Software\Microsoft\Windows\Current          This policy setting allows you to manage the behavior for notifying registered
Configuration\Administrative when opening attachments                                                 Version\Policies\Attachments!ScanWithAnt         antivirus programs. If multiple programs are registered, they will all be
                                                                                                                                                       notified. If the registered antivirus program already performs on-access
Templates\Windows                                                                                     iVirus                                           checks or scans files as they arrive on the computer’s e-mail server because
Components\Attachment                                                                                                                                  further calls would be redundant. If you enable this policy Windows tells the
Manager                                                                                                                                                registered antivirus program to scan the file when a user opens a file
                                                                                                                                                       attachment. If the antivirus program fails, the attachment is blocked from
                                                                                                                                                       being opened. If you disable this policy Windows does not call the registered
                                                                                                                                                       antivirus programs when file attachments are opened. If you do not configure
                                                                                                                                                       this policy Windows does not call the registered antivirus programs when file
                                                                                                                                                       attachments are opened.


User                         Configure Outlook Express   Disabled         Disabled         CCE-963    HKCU\Software\Microsoft\Outlook                  The Configure Outlook Express setting allows administrators to enable and
Configuration\Administrative                                                                          Express!BlockExeAttachments                      disable the ability for Microsoft Outlook® Express users to save or open
                                                                                                                                                       attachments that can potentially contain a virus. Selecting the block
Templates\Windows                                                                                                                                      attachments option of this setting prevents users opening or saving
Components\Internet                                                                                                                                    attachments to e – mail that could potentially contain a virus. Users cannot
Explorer                                                                                                                                               disable the Configure Outlook Express setting to stop it from blocking
                                                                                                                                                       attachments. To enforce this setting, click Enable and select Block
                                                                                                                                                       attachments that could contain a virus.

User                         Disable AutoComplete for    Enabled          Enabled          CCE-478    HKCU\Software\Policies\Microsoft\Internet        This AutoComplete feature suggests possible matches when users are filling
Configuration\Administrative forms                                                                    Explorer\Main!Use FormSuggest,                   up forms. If you enable this setting, the user is not suggested matches when
                                                                                                                                                       filling forms. The user cannot change it. If you disable this setting, the user is
Templates\Windows                                                                                     HKCU\Software\Policies\Microsoft\Internet        suggested possible matches when filling forms. The user cannot change it.
Components\Internet                                                                                   Explorer\Control Panel!FormSuggest               If you do not configure this setting, the user has the freedom to turn on the
Explorer                                                                                                                                               auto-complete feature for forms. To display this option, the users open the
                                                                                                                                                       Internet Options dialog box, click the Contents Tab and click the Settings
                                                                                                                                                       button.


User                         Disable external branding of Enabled         Enabled          CCE-1051   HKCU\Software\Policies\Microsoft\Internet Prevents branding of Internet programs, such as customization of Internet
Configuration\Administrative Internet Explorer                                                        Explorer\Restrictions!NoExternalBranding Explorer and Outlook Express logos and title bars, by another party. If you
                                                                                                                                                       enable this policy, it prevents customization of the browser by another party,
Templates\Windows                                                                                                                                      such as an Internet service provider or Internet content provider. If you
Components\Internet                                                                                                                                    disable this policy or do not configure it, users could install customizations
Explorer                                                                                                                                               from another party-for example, when signing up for Internet services. This
                                                                                                                                                       policy is intended for administrators who want to maintain a consistent
                                                                                                                                                       browser across an organization.


User                         Disable Internet Connection Not Configured   Not Configured   CCE-769    HKCU\Software\Policies\Microsoft\Internet        Prevents users from running the Internet Connection Wizard.
Configuration\Administrative wizard                                                                   Explorer\Control Panel!Connwiz Admin             If you enable this policy, the Setup button on the Connections tab in the
                                                                                                                                                       Internet Options dialog box appears dimmed.
Templates\Windows                                                                                     Lock                                             Users will also be prevented from running the wizard by clicking the Connect
Components\Internet                                                                                                                                    to the Internet icon on the desktop or by clicking Start, pointing to Programs,
Explorer                                                                                                                                               pointing to Accessories, pointing to Communications, and then clicking
                                                                                                                                                       Internet Connection Wizard. If you disable this policy or do not configure it,
                                                                                                                                                       users can change their connection settings by running the Internet
                                                                                                                                                       Connection Wizard.
                                                                                                                                                       Note: This policy overlaps with the "Disable the Connections page" policy
                                                                                                                                                       (located in \User Configuration\Administrative Templates\Windows
                                                                                                                                                       Components\Internet Explorer\Internet Control Panel), which removes the
                                                                                                                                                       Connections tab from the interface. Removing the Connections tab from the
                                                                                                                                                       interface, however, does not prevent users from running the Internet
                                                                                                                                                       Connection Wizard from the desktop or the Start menu.
User                         Disable the Reset Web         Enabled       Enabled            CCE-625       HKCU\Software\Policies\Microsoft\Internet Prevents users from restoring default settings for home and search pages.
Configuration\Administrative Settings feature                                                             Explorer\Control Panel!ResetWebSettings If you enable this policy, the Reset Web Settings button on the Programs tab
                                                                                                                                                           in the Internet Options dialog box appears dimmed. If you disable this policy
Templates\Windows                                                                                                                                          or do not configure it, users can restore the default settings for home and
Components\Internet                                                                                                                                        search pages. The "Disable the Programs page" policy (located in \User
Explorer                                                                                                                                                   Configuration\Administrative Templates\Windows Components\Internet
                                                                                                                                                           Explorer\Internet Control Panel), which removes the Programs tab from
                                                                                                                                                           Internet Explorer in Control Panel, takes precedence over this policy. If it is
                                                                                                                                                           enabled, this policy is ignored



User                         Turn on the auto-complete     Disabled      Disabled           CCE-721       HKCU\Software\Policies\Microsoft\Internet        This AutoComplete feature can remember and suggest User names and
Configuration\Administrative feature for user names and                                                   Explorer\Main!FormSuggest Passwords,             passwords on Forms. If you enable this setting, the user cannot change
                                                                                                                                                           "User name and passwords on forms" or "prompt me to save passwords".
Templates\Windows            passwords on forms                                                           HKCU\Software\Policies\Microsoft\Internet        The Auto Complete feature for User names and passwords on Forms will be
Components\Internet                                                                                       Explorer\Control Panel!FormSuggest               turned on. You have to decide whether to select "prompt me to save
Explorer                                                                                                  Passwords                                        passwords". If you disable this setting the user cannot change "User name
                                                                                                                                                           and passwords on forms" or "prompt me to save passwords". The Auto
                                                                                                                                                           Complete feature for User names and passwords on Forms is turned off. The
                                                                                                                                                           user also cannot opt to be prompted to save passwords. If you do not
                                                                                                                                                           configure this setting, the user has the freedom of turning on Auto complete
                                                                                                                                                           for User name and passwords on forms and the option of prompting to save
                                                                                                                                                           passwords. To display this option, the users open the Internet Options dialog
                                                                                                                                                           box, click the Contents Tab and click the Settings button.




User                           Turn off page transitions   Enabled       Enabled            CCE-71        HKCU\Software\Policies\Microsoft\Internet This policy setting specifies if, as you move from one Web page to another,
Configuration\Administrative                                                                              Explorer\Main!Page_Transitions            Internet Explorer fades out of the page you are leaving and fades into the
                                                                                                                                                           page to which you are going. If you enable this policy setting, page
Templates\Windows                                                                                                                                          transitions will be turned off. The user cannot change this behavior. If you
Components\Internet                                                                                                                                        disable this policy setting, page transitions will be turned on. The user cannot
Explorer\Internet                                                                                                                                          change this behavior. If you do not configure this policy setting, the user can
Settings\Advanced                                                                                                                                          turn on or off page transitions.
Settings\Browsing
User                           Turn on the Internet        Disabled      Disabled           CCE-258       HKCU\Software\Policies\Microsoft\Internet This policy setting determines if the Internet Connection Wizard was
Configuration\Administrative   Connection Wizard Auto                                                     Connection Wizard!DisableICW              completed. If it was not completed, it launches the Internet Connection
                                                                                                                                                           Wizard. If you enable this policy setting, the Internet Connection Wizard is
Templates\Windows              Detect                                                                                                                      launched automatically if it was not completed before. The user cannot
Components\Internet                                                                                                                                        prevent the wizard from launching. If you disable this policy setting, the
Explorer\Internet                                                                                                                                          Internet Connection Wizard is not launched automatically. The user can
Settings\Advanced                                                                                                                                          launch the wizard manually. If you do not configure this policy setting, the
Settings\Internet Connection                                                                                                                               user will have the freedom to decide whether the Internet Connection Wizard
                                                                                                                                                           should be launched automatically.
Wizard Settings

User                         Prevent users from sharing    Enabled       (Not Applicable)   CCE-1144 HKCU\Software\Microsoft\Windows\Current By default users are allowed to share files within their profile to other users on
Configuration\Administrative files within their profile.                                             Version\Policies\Explorer!NoInplaceSharing their network once an administrator opts in the computer. An administrator
                                                                                                                                                           can opt in the computer by using the sharing wizard to share a file within their
Templates\Windows                                                                                                                                          profile. If you enable this policy, users will not be able to share files within
Components\Network                                                                                                                                         their profile using the sharing wizard. Also, the sharing wizard will not create
Sharing                                                                                                                                                    a share at %root%\users and can only be used to create SMB shares on
                                                                                                                                                           folders. If you disable or don’t configure this policy, then users will be able to
                                                                                                                                                           share files out of their user profile once an administrator has opted in the
                                                                                                                                                           computer.

VISTA AUDIT POLICY:            Application Group           No auditing   (Not Applicable)   CCE-801,
Account Management             Management                                                   CCE-1016

VISTA AUDIT POLICY:            Computer Account            Success and   (Not Applicable)   CCE-1070,
Account Management             Management                  Failure                          CCE-840
VISTA AUDIT POLICY:      Distribution Group           No auditing    (Not Applicable)   CCE-515,
Account Management       Management                                                     CCE-1048

VISTA AUDIT POLICY:      Other Account Management Success and        (Not Applicable)   CCE-206,
Account Management       Events                   Failure                               CCE-1202

VISTA AUDIT POLICY:      Security Group Management Success and       (Not Applicable)   CCE-1118,
Account Management                                 Failure                              CCE-369
VISTA AUDIT POLICY:      User Account Management Success and         (Not Applicable)   CCE-1043,
Account Management                                 Failure                              CCE-924
VISTA AUDIT POLICY:      DPAPI Activity            No auditing       (Not Applicable)   CCE-1413,
Detailed Tracking                                                                       CCE-699

VISTA AUDIT POLICY:      Process Creation             Success        (Not Applicable)   CCE-913,
Detailed Tracking                                                                       CCE-1079

VISTA AUDIT POLICY:      Process Termination          No auditing    (Not Applicable)   CCE-416,
Detailed Tracking                                                                       CCE-1250

VISTA AUDIT POLICY:      RPC Events                   No auditing    (Not Applicable)   CCE-1219,
Detailed Tracking                                                                       CCE-1365

VISTA AUDIT POLICY: DS   Detailed Directory Service   No auditing    (Not Applicable)   CCE-207,
Access                   Replication                                                    CCE-1186
VISTA AUDIT POLICY: DS   Directory Service Access     No auditing    (Not Applicable)   CCE-1199,
Access                                                                                  CCE-459

VISTA AUDIT POLICY: DS   Directory Service Changes    No auditing    (Not Applicable)   CCE-317,
Access                                                                                  CCE-982

VISTA AUDIT POLICY: DS   Directory Service Replication No auditing   (Not Applicable)   CCE-881,
Access                                                                                  CCE-247
VISTA AUDIT POLICY:      Account Lockout              No auditing    (Not Applicable)   CCE-980
Logon/Logoff
VISTA AUDIT POLICY:      IPsec Extended Mode          No auditing    (Not Applicable)   CCE-1028,
Logon/Logoff                                                                            CCE-362
VISTA AUDIT POLICY:      IPsec Main Mode              No auditing    (Not Applicable)   CCE-1207,
Logon/Logoff                                                                            CCE-351
VISTA AUDIT POLICY:      IPsec Quick Mode             No auditing    (Not Applicable)   CCE-1257,
Logon/Logoff                                                                            CCE-1274
VISTA AUDIT POLICY:      Logoff                       Success        (Not Applicable)   CCE-493,
Logon/Logoff                                                                            CCE-996
VISTA AUDIT POLICY:      Logon                        Success and    (Not Applicable)   CCE-1284,
Logon/Logoff                                          Failure                           CCE-1097
VISTA AUDIT POLICY:      Other Logon/Logoff Events    No auditing    (Not Applicable)   CCE-378,
Logon/Logoff                                                                            CCE-1208
VISTA AUDIT POLICY:      Special Logon                Success        (Not Applicable)   CCE-371,
Logon/Logoff                                                                            CCE-1038
VISTA AUDIT POLICY:      Application Generated        No auditing    (Not Applicable)   CCE-1322,
Object Access                                                                           CCE-379
VISTA AUDIT POLICY:      Certification Services       No auditing    (Not Applicable)   CCE-1345,
Object Access                                                                           CCE-1261
VISTA AUDIT POLICY:      File Share                   No auditing    (Not Applicable)   CCE-1372,
Object Access                                                                           CCE-1033
VISTA AUDIT POLICY:            File System                  Failure          (Not Applicable)   CCE-1085,
Object Access                                                                                   CCE-1340
VISTA AUDIT POLICY:            Filtering Platform           No auditing      (Not Applicable)   CCE-717,
Object Access                  Connection                                                       CCE-744
VISTA AUDIT POLICY:            Filtering Platform Packet    No auditing      (Not Applicable)   CCE-385,
Object Access                  Drop                                                             CCE-589
VISTA AUDIT POLICY:            Handle Manipulation          No auditing      (Not Applicable)   CCE-1363,
Object Access                                                                                   CCE-1244
VISTA AUDIT POLICY:            Kernel Object                No auditing      (Not Applicable)   CCE-1288,
Object Access                                                                                   CCE-1305
VISTA AUDIT POLICY:            Other Object Access Events No auditing        (Not Applicable)   CCE-642,
Object Access                                                                                   CCE-1026
VISTA AUDIT POLICY:            Registry                     Failure          (Not Applicable)   CCE-1138,
Object Access                                                                                   CCE-1283
VISTA AUDIT POLICY:            SAM                          No auditing      (Not Applicable)   CCE-446,
Object Access                                                                                   CCE-451
VISTA AUDIT POLICY:            Audit Policy Change          Success and      (Not Applicable)   CCE-1110,
Policy Change                                               Failure                             CCE-991
VISTA AUDIT POLICY:            Authentication Policy        Success          (Not Applicable)   CCE-388,
Policy Change                  Change                                                           CCE-180
VISTA AUDIT POLICY:            Authorization Policy Change No auditing       (Not Applicable)   CCE-187,
Policy Change                                                                                   CCE-448
VISTA AUDIT POLICY:            Filtering Platform Policy  No auditing        (Not Applicable)   CCE-1042,
Policy Change                  Change                                                           CCE-1112
VISTA AUDIT POLICY:            MPSSVC Rule-Level Policy No auditing          (Not Applicable)   CCE-203,
Policy Change                  Change                                                           CCE-879
VISTA AUDIT POLICY:            Other Policy Change Events No auditing        (Not Applicable)   CCE-205,
Policy Change                                                                                   CCE-787
VISTA AUDIT POLICY:            Non Sensitive Privilege Use No auditing       (Not Applicable)   CCE-391,
Privilege Use                                                                                   CCE-404
VISTA AUDIT POLICY:            Other Privilege Use Events   No auditing      (Not Applicable)   CCE-1203,
Privilege Use                                                                                   CCE-406
VISTA AUDIT POLICY:            Sensitive Privilege Use      Success and      (Not Applicable)   CCE-488,
Privilege Use                                               Failure                             CCE-1258
VISTA AUDIT POLICY:            IPsec Driver                 Success and      (Not Applicable)   CCE-1177,
System                                                      Failure                             CCE-1314
VISTA AUDIT POLICY:            Other System Events          No auditing      (Not Applicable)   CCE-1332,
System                                                                                          CCE-337
VISTA AUDIT POLICY:            Security State Change        Success and      (Not Applicable)   CCE-1121,
System                                                      Failure                             CCE-1139
VISTA AUDIT POLICY:            Security System Extension    Success and      (Not Applicable)   CCE-1270,
System                                                      Failure                             CCE-1102
VISTA AUDIT POLICY:            System Integrity             Success and      (Not Applicable)   CCE-856,
System                                                      Failure                             CCE-336
Computer                       Download signed ActiveX      Not Configured   Not Configured     none
Configuration\Administrative   controls
Templates\Windows
Components\Internet
Explorer\Internet Control
Panel\Security Page\Trusted
Sites Zone
Computer                       Download signed ActiveX    Not Configured   Not Configured     none
Configuration\Administrative   controls
Templates\Windows
Components\Internet
Explorer\Internet Control
Panel\Security Page\Intranet
Zone
User                           Turn off Help Experience   Enabled          (Not Applicable)   CCE-174
Configuration\Administrative   Improvement Program
Templates\System\Internet
Communication
Management\Internet
Communication Settings

User                         Turn off Help Ratings        Enabled          (Not Applicable)   CCE-1109
Configuration\Administrative
Templates\System\Internet
Communication
Management\Internet
Communication settings
Vista CCE v5       XP CCE v5
Reference          Reference
(Not Applicable)   (Not Applicable)




CCE-4077-4         (Not Applicable)




CCE-3270-6         CCE-5194-6




CCE-4152-5         CCE-2173-3
CCE-5020-3   CCE-5022-9




CCE-4078-2   CCE-3026-2




CCE-3431-4   CCE-3247-4
(Not Applicable)   CCE-3141-9




CCE-3180-7         CCE-3258-1




CCE-3405-8         CCE-2828-2




(Not Applicable)   CCE-2965-2,
                   CCE-3090-8,
                   CCE-2923-1,
                   CCE-2958-7
CCE-3158-3   CCE-2476-0




CCE-3458-7   CCE-3304-3
CCE-2964-5   CCE-3176-5




CCE-3365-4   CCE-3198-9




CCE-3436-3   CCE-2972-8
CCE-3054-4         CCE-3154-2




CCE-3369-6         CCE-3262-3




(Not Applicable)   CCE-3081-7




CCE-3356-3         CCE-2989-2
CCE-3334-0   CCE-3183-1




CCE-3352-2   CCE-2954-6




CCE-3387-8   CCE-3213-6
CCE-3268-0   CCE-3235-9




CCE-3347-2   CCE-3179-9




CCE-3409-0   CCE-3134-4
CCE-3440-5   CCE-3103-9




CCE-3329-0   CCE-3284-7




CCE-5061-7   (Not Applicable)




CCE-3045-2   (Not Applicable)
CCE-3331-6         (Not Applicable)




CCE-3464-5         (Not Applicable)




CCE-3468-6         (Not Applicable)




CCE-3278-9         CCE-5014-6




(Not Applicable)   CCE-5136-7
CCE-4081-6   CCE-4665-6




CCE-3452-0   CCE-5053-4




CCE-3454-6   CCE-5054-2




CCE-2754-0   CCE-5200-1
CCE-3348-0   CCE-4953-6




CCE-2868-8   (Not Applicable)




CCE-3432-2   CCE-4707-6




CCE-3364-7   CCE-5099-7




CCE-2697-1   CCE-5121-9
CCE-3421-5   CCE-4513-8




CCE-3093-2   CCE-4641-7




CCE-2778-9   CCE-5055-9




CCE-3115-3   CCE-5072-4




CCE-2477-8   CCE-4887-6
CCE-3259-9   CCE-4224-2




CCE-4694-6   CCE-3038-7




CCE-3403-3   CCE-4242-4




CCE-3297-9   CCE-4732-4
CCE-3385-2   CCE-4997-3




CCE-3278-9   CCE-5014-6




CCE-4813-2   CCE-3100-5



CCE-3086-6   CCE-5032-8




CCE-2781-3   CCE-5160-7
CCE-2922-3   (Not Applicable)




CCE-2821-7   (Not Applicable)




CCE-3469-4   (Not Applicable)




CCE-3217-7   CCE-3012-2
CCE-3323-3   CCE-3007-2




CCE-3271-4   (Not Applicable)




CCE-3160-9   CCE-3273-0




CCE-3394-4   CCE-2956-1
CCE-4579-9   (Not Applicable)




CCE-2719-3   CCE-2710-2




CCE-2471-1   (Not Applicable)




CCE-2471-1   (Not Applicable)




CCE-3015-5   CCE-2904-1




CCE-3302-7   CCE-2693-0




CCE-4086-5   (Not Applicable)
CCE-3165-8   CCE-3006-4




CCE-2471-1   (Not Applicable)




CCE-4001-4   CCE-4001-4




CCE-3518-8   CCE-3518-8




CCE-4147-5   CCE-4147-5
CCE-3576-6   CCE-3576-6




CCE-3706-9   CCE-3706-9




CCE-4118-6   CCE-4118-6




CCE-3744-0   CCE-3744-0




CCE-3201-1   CCE-3201-1
CCE-3993-3   CCE-3993-3




CCE-3207-8   CCE-3207-8




CCE-3929-7   CCE-3929-7




CCE-3933-9   CCE-3933-9
CCE-4017-0   CCE-4017-0




CCE-3615-2   CCE-3615-2




CCE-3894-3   CCE-3894-3




CCE-3866-1   CCE-3866-1




CCE-3875-2   CCE-3875-2




CCE-4199-6   CCE-4199-6




CCE-4174-9   CCE-4174-9
CCE-3677-2   CCE-3677-2




CCE-3941-2   CCE-3941-2




CCE-4192-1   CCE-4192-1




CCE-3584-0   CCE-3584-0




CCE-3976-8   CCE-3976-8
CCE-4026-1   CCE-4026-1




CCE-4171-5   CCE-4171-5




CCE-4175-6   CCE-4175-6




CCE-3853-9   CCE-3853-9




CCE-4109-5   CCE-4109-5




CCE-3998-2   CCE-3998-2
CCE-3888-5   CCE-3888-5




CCE-3906-5   CCE-3906-5




CCE-4099-8   CCE-4099-8




CCE-3601-2   CCE-3601-2




CCE-3249-0   CCE-3249-0




CCE-4139-2   CCE-4139-2
CCE-3927-1   CCE-3927-1




CCE-3945-3   CCE-3945-3




CCE-4068-3   CCE-4068-3




CCE-3963-6   CCE-3963-6




CCE-4104-6   CCE-4104-6
CCE-3623-6   CCE-3623-6




CCE-3751-5   CCE-3751-5




CCE-4143-4   CCE-4143-4




CCE-4161-6   CCE-4161-6
CCE-3553-5   CCE-3553-5




CCE-3378-7   CCE-3378-7




CCE-4643-3   CCE-4643-3




CCE-3619-4   CCE-3619-4




CCE-3914-9   CCE-3914-9
CCE-4131-9   CCE-4131-9




CCE-3570-9   CCE-3570-9




CCE-3989-1   CCE-3989-1




CCE-4652-4   CCE-4652-4
CCE-4138-4   CCE-4138-4




CCE-3891-9   CCE-3891-9




CCE-3984-2   CCE-3984-2




CCE-4793-6   CCE-4793-6
CCE-4692-0   CCE-4692-0




CCE-4121-0   CCE-4121-0




CCE-3754-9   CCE-3754-9




CCE-4028-7   CCE-4028-7
CCE-4160-8   CCE-4160-8




CCE-3264-9   CCE-3264-9




CCE-3902-4   CCE-3902-4




CCE-4546-8   CCE-4546-8
CCE-4232-5   CCE-4232-5




CCE-4564-1   CCE-4564-1




CCE-3905-7   CCE-3905-7




CCE-4050-1   CCE-4050-1




CCE-4196-2   CCE-4196-2
CCE-4013-9   CCE-4013-9




CCE-3337-3   CCE-3337-3




CCE-4150-9   CCE-4150-9




CCE-4062-6   CCE-4062-6




CCE-4079-0   CCE-4079-0




CCE-4084-0   CCE-4084-0
CCE-4119-4   CCE-4119-4




CCE-4031-1   CCE-4031-1




CCE-4053-5   CCE-4053-5




CCE-4057-6   CCE-4057-6




CCE-3564-2   CCE-3564-2
CCE-4101-2   CCE-4101-2




CCE-3996-6   CCE-3996-6




CCE-4066-7   CCE-4066-7




CCE-3696-2   CCE-3696-2
CCE-3590-7   CCE-3590-7




CCE-4110-3   CCE-4110-3




CCE-4132-7   CCE-4132-7




CCE-3400-9   CCE-3400-9




CCE-4158-2   CCE-4158-2
CCE-4163-2   CCE-4163-2




CCE-4202-8   CCE-4202-8




CCE-3216-9   CCE-3216-9




CCE-3855-4   CCE-3855-4




CCE-4153-3   CCE-4153-3
CCE-3909-9   CCE-3909-9




CCE-4018-8   CCE-4018-8




CCE-4040-2   CCE-4040-2




CCE-4052-7   CCE-4052-7




CCE-4215-0   CCE-4215-0
CCE-4087-3   CCE-4087-3




CCE-4845-4   CCE-4845-4




CCE-3204-5   CCE-3204-5




CCE-4098-0   CCE-4098-0




CCE-4259-8   CCE-4259-8
CCE-4047-7   CCE-4047-7




CCE-4149-1   CCE-4149-1




CCE-3338-1   CCE-3338-1
CCE-4992-4   CCE-4043-6




CCE-3924-8   CCE-3924-8




CCE-4122-8   CCE-4122-8
CCE-4162-4   CCE-4162-4




CCE-3288-8   CCE-4262-2




CCE-3082-5   CCE-2896-9



CCE-3046-0   (Not Applicable)




CCE-3477-7   CCE-4581-5




CCE-3376-1   (Not Applicable)
CCE-3143-5         (Not Applicable)




CCE-2975-1         CCE-4849-6




(Not Applicable)   CCE-3116-1




CCE-2975-1         CCE-4849-6
CCE-5007-0   CCE-2961-1




CCE-4267-1   CCE-3124-5




CCE-2874-6   (Not Applicable)
CCE-3429-8   CCE-2949-6




CCE-4866-0   CCE-3116-1




CCE-3429-8   CCE-2949-6
CCE-5007-0   (Not Applicable)




CCE-4761-3   (Not Applicable)




CCE-4915-5   (Not Applicable)




CCE-5034-4   (Not Applicable)
CCE-5136-7   (Not Applicable)




CCE-4089-9   (Not Applicable)




CCE-2962-9   (Not Applicable)




CCE-3125-2   CCE-4270-5




CCE-4991-6   CCE-2830-8
CCE-4629-2   CCE-3094-0




CCE-3398-5   CCE-5025-2




CCE-3341-5   (Not Applicable)




CCE-2521-3   (Not Applicable)




CCE-2525-4   (Not Applicable)




CCE-3486-8   Not Defined
CCE-4405-7         CCE-4791-0




CCE-4898-3         CCE-2826-6




CCE-5052-6         CCE-4482-6




CCE-2557-7         (Not Applicable)




(Not Applicable)   CCE-2684-9
CCE-4797-7   CCE-2455-4




CCE-3456-1   (Not Applicable)




CCE-3214-4   (Not Applicable)




CCE-3500-6   (Not Applicable)




CCE-2865-4   (Not Applicable)
CCE-3508-9   (Not Applicable)




CCE-3260-7   CCE-2965-2




CCE-3414-0   CCE-3090-8




CCE-2533-8   CCE-2923-1
CCE-3299-5   CCE-2958-7




CCE-4941-1   (Not Applicable)




CCE-2977-7   (Not Applicable)




CCE-3457-9   (Not Applicable)




CCE-3436-3   CCE-2972-8
CCE-3054-4   CCE-3154-2




CCE-2999-1   (Not Applicable)




CCE-3439-7   (Not Applicable)




CCE-4597-1   (Not Applicable)




CCE-4963-5   (Not Applicable)
CCE-4206-9   (Not Applicable)




CCE-4207-7   (Not Applicable)




CCE-3417-3   (Not Applicable)




CCE-2854-8   (Not Applicable)




CCE-3360-5   (Not Applicable)
CCE-2924-9   (Not Applicable)




CCE-3373-8   (Not Applicable)




CCE-3395-1   (Not Applicable)




CCE-3166-6   (Not Applicable)




CCE-4507-0   (Not Applicable)
CCE-5128-4   (Not Applicable)




CCE-4639-1   (Not Applicable)




CCE-4278-8   (Not Applicable)




CCE-2998-3   (Not Applicable)




CCE-3426-4   (Not Applicable)
CCE-2650-0   (Not Applicable)




CCE-2641-9   (Not Applicable)




CCE-3246-6   (Not Applicable)




CCE-3263-1   (Not Applicable)




CCE-3351-4   (Not Applicable)
CCE-5146-6,   (Not Applicable)
CCE-5036-9,
CCE-4811-6

CCE-4290-3    CCE-4500-5




CCE-3050-2    CCE-2980-1




CCE-3169-0    CCE-4390-1




CCE-3437-1    CCE-4412-3




CCE-2979-3    CCE-5042-7
CCE-3300-1   CCE-5059-1




CCE-3275-5   CCE-3275-5




CCE-4246-5   CCE-4246-5




CCE-4237-4   CCE-4237-4




CCE-3825-7   CCE-3825-7
CCE-4226-7    CCE-4226-7




CCE-3647-5    CCE-3647-5




CCE-4056-8    CCE-4056-8




CCE-4036-0    CCE-4036-0




CCE-5070-8    (Not Applicable)




CCE-4938-7,   (Not Applicable)
CCE-4700-1

CCE-4093-1,   (Not Applicable)
CCE-4228-3
CCE-4115-2,   (Not Applicable)
CCE-4140-0

CCE-4916-3,   (Not Applicable)
CCE-4783-7

CCE-5048-4,   (Not Applicable)
CCE-4142-6
CCE-4833-0,   (Not Applicable)
CCE-5097-1
CCE-5000-5,   (Not Applicable)
CCE-4493-3

CCE-4166-5,   (Not Applicable)
CCE-5094-8

CCE-4869-4,   (Not Applicable)
CCE-4363-8

CCE-4891-8,   (Not Applicable)
CCE-4759-7

CCE-5023-7,   (Not Applicable)
CCE-4658-1
CCE-5028-6,   (Not Applicable)
CCE-4931-2

CCE-5067-4,   (Not Applicable)
CCE-4808-2

CCE-5089-8,   (Not Applicable)
CCE-4176-4
CCE-2363-0    CCE-2928-0

CCE-5011-2,   (Not Applicable)
CCE-4505-4
CCE-5016-1,   (Not Applicable)
CCE-4650-8
CCE-5038-5,   (Not Applicable)
CCE-4928-8
CCE-4703-5,   (Not Applicable)
CCE-4183-0
CCE-5018-7,   (Not Applicable)
CCE-4423-0
CCE-5163-1,   (Not Applicable)
CCE-5066-6
CCE-4956-9,   (Not Applicable)
CCE-4824-9
CCE-5084-9,   (Not Applicable)
CCE-4829-8
CCE-4714-2,   (Not Applicable)
CCE-4868-6
CCE-4200-2,   (Not Applicable)
CCE-5145-8
CCE-4921-3,        (Not Applicable)
CCE-5039-3
CCE-4568-2,        (Not Applicable)
CCE-5079-9
CCE-4947-8,        (Not Applicable)
CCE-4335-6
CCE-4828-0,        (Not Applicable)
CCE-4965-0
CCE-4996-5,        (Not Applicable)
CCE-4885-0
CCE-5132-6,        (Not Applicable)
CCE-4691-2
CCE-4594-8,        (Not Applicable)
CCE-5087-2
CCE-4616-9,        (Not Applicable)
CCE-4982-5
CCE-4201-0,        (Not Applicable)
CCE-5137-5
CCE-4877-7,        (Not Applicable)
CCE-4516-1
CCE-5172-2,        (Not Applicable)
CCE-5058-3
CCE-5177-1,        (Not Applicable)
CCE-4939-5
CCE-5181-3,        (Not Applicable)
CCE-4204-4
CCE-4479-2,        (Not Applicable)
CCE-4995-7
CCE-5114-4,        (Not Applicable)
CCE-4990-8
CCE-5131-8,        (Not Applicable)
CCE-4205-1
CCE-4300-0,        (Not Applicable)
CCE-4734-0
CCE-4976-7,        (Not Applicable)
CCE-4879-3
CCE-4998-1,        (Not Applicable)
CCE-4883-5
CCE-4535-1,        (Not Applicable)
CCE-5157-3
CCE-5170-6,        (Not Applicable)
CCE-4910-6
CCE-5047-6,        (Not Applicable)
CCE-4822-3
(Not Applicable)   (Not Applicable)
(Not Applicable)   (Not Applicable)




CCE-5239-9         (Not Applicable)




CCE-4851-2         (Not Applicable)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:53
posted:9/6/2012
language:English
pages:221